Tag Archives: Supply Chain Fraud

Counterfeits can compromise your Supply Chain Integrity

Posted on by

Paul Curwell, CPP, CFE, CISSP

How counterfeiting threatens Supply Chain Integrity

Counterfeiting has been prevalent throughout the global industrial era, and given its profitability and the low risk of conviction for offenders it is not going away anytime soon. Unfortunately, there have been numerous examples of public and private organisations which unknowingly procure counterfeit, fraudulent, substituted or substandard products in their supply chain – two such examples include:

  • June 2020: U.S. Air Force pilot 1st Lt. David Schmitz died when his parachute didn’t deploy from a malfunctioning ejection seat, which the US Air Force later found may have contained up to ten counterfeit and faulting resistors and semiconductor chips
  • March 2021: Police in China and South Africa seized thousands of fake doses of Covid-19 vaccine, with Interpol warning this represented only the “tip of the iceberg” globally. Police raided the manufacturing premises, arresting ~80 suspects and seizing over 3,000 fake vaccines

As the above examples show, it is all too easy for counterfeit materials to enter the supply chain of even the world’s largest organisations. Critical Infrastructure operators, such as those falling under the purview of Australia’s Security of Critical Infrastructure Act 2018, have a requirement to use high quality parts and components produced by reputable manufacturers to an engineer’s specifications, whilst in life sciences, fraudulent or substandard medicines frequently cause premature death or serious injury.

flight flying airplane jet
Photo by Pixabay on Pexels.com

How do sub-standard parts enter a supply chain?

Before we explore this further, we need to remember there are two perspectives here: (1) what a manufacturer can do to ensure their products are not counterfeited or compromised between the factory and the end user, and (2) what end users can do to ensure they do not introduce compromised product into their inventory or operations. The second option is the focus of this post.

Sub-standard, counterfeit or fraudulent parts / components / products (also referred to as ‘non-conforming‘ materials) can enter the supply chain in at least four ways, including:

  • Supplier intentionally introduces non-conforming material, perhaps for profit or because they are unable to obtain the conforming item and do not want to risk their relationship with the buyer
  • Supplier unintentionally introduces non-conforming material as a result of inadequate or complacent internal practices and procedures
  • Corrupt or malicious insider compromises the supply chain for gain or profit, or,
  • As a result of foreign interference by a nation state actor against an adversary

Given these vectors for introducing non-conforming materials, how can organisations protect their supply chain integrity? The answer is developing an Anti-Counterfeit Management Plan, otherwise known as a Material Authenticity Assurance Plan (MAAP), which based on AS6174 published by SAE International can be developed in five main steps.

woman in black shirt holding a hand sanitizer bottle
Photo by Anna Tarazevich on Pexels.com

Step 1 – Assess the risk posed by sourcing counterfeit product

I have previously written about the concept of security risk management and the fact that we can’t treat all problems to the same standard: Risk management decisions must be based on risk appetite and focused on using a business’s limited resources to protect the most critical assets.

For a buyer, the risk of counterfeit parts is largely a quality control issue as long as there are multiple qualified suppliers in a given market. However, for products requiring specific know-how or capability, or where Intellectual Property licensing applies, different sourcing considerations are required.

The first step in managing supply chain integrity issues arising from counterfeits involves identifying those areas where the business impact of compromise is greatest. This allows sourcing managers to modify their approach and policies to compensate for potential risks. One example of criticality tiering by product can be found below:

Impact / CriticalityType of product
HIGH LIfe dependent applications
Safety critical applications
Mission critical applications
Applications where field work / repair is impossible
MEDIUM Reclaimed / Refurbished parts
Application critical
Product is accessible for field repair
Short product life expectancy
LOW Non-critical applications
AS6174 – SAE International
man in black jacket standing beside black car
Photo by Andrea Piacquadio on Pexels.com

Step 2 – Identify which sources provide the greatest assurance

Budget is always a finite issue in any organisation, and it is not always possible (or necessary) to buy the best of everything. Where multiple suppliers exist it makes good business sense to buy the highest quality items (typically the most expensive) for those areas which are the most critical either to your business’ operations or to life and safety.

So how do you determine this? SAE International provides useful guidance here, ranking the main types of ‘source’ in order of those which provide the greatest level of confidence that their materials will be high quality (and therefore the lowest risk of non-conformance):

Confidence Level
(non-conformance risk)		Product / Component Source
HIGH
(LOW risk)		OEM or Certified Manufacturer
Authorised Distributor
Original Manufacturer or Contract Manufacturer
MEDIUMVetted or pre-qualified Independent Distributor (e.g. verified quality, reputation)
Unknown Independent Distributor (e.g. quality, reputation not asessed)
Unknown source
LOW
(VERY HIGH risk)		Vendor is subject to adverse reporting from industry participants (i.e. other buyers have reported purchasing non-confirming product from this seller)
AS6174 – SAE International

Step 3 – Develop your organisation’s product assurance processes

The risk of sourcing non-conforming material is omnipresent for any critical industry or life sciences organisation, so undertaking assurance on your suppliers and any parts / components / software purchased from them is an ongoing activity for the life of your operations.

For physical products, there are four ways to obtain this assurance which can be used in isolation or in combination depending on the risk profile:

  • Document and packaging inspection – before opening the package, inspect for obvious tampering, spelling errors, typographic issues, missing or damaged holograms, peeling labels, amended dates, etc.
  • Visual Inspection – remove the product / part / component from the packaging. Does it match the expected style, form and quality of what was ordered?
  • Non-Destructive Testing – involves radiological, acoustic, thermographic and optical techniques to verify conformance without damaging the component / part / product.
  • Destructive Testing – usually used as a last resort these options involve analytical chemistry, deformation and metallurgical tests, exposure tests, and functional tests which will likely damage the component / part / product.

Further information can be found here. Irrespective of whether fraudulent, substandard or counterfeit, non-conforming materials identified should always be removed from circulation within the organisation’s inventory or operations, and either retained as evidence for legal and associated purposes, securely destroyed or returned to the supplier (depending on your policies and obligations).

top view photo of white keyboard
Photo by Olena Bohovyk on Pexels.com

Step 4 – Plan for contingencies

It is a fact of life that manufacturers stop producing products / components due to factors such as shortages in raw materials, financial solvency, or simply product strategy decisions. Buyers who require parts or components to support an extended operational life of say two to three decades need to implement plans to mitigate these risks.

Contingencies include purchasing additional inventory, regular engagement with manufacturers to obtain advanced notice of production changes, finding contract manufacturers, or sourcing alternative components.

Step 5 – Document your Product Assurance Framework

To ensure consistency and proper governance some sort of framework is required to set out your organisation’s policies, risk appetite, roles and responsibilities, regulatory compliance obligations, key risks and controls, staff awareness training and product assurance program.

A documented provides a mechanism to ensure consistent implementation throughout the organisation, and a mechanism to continuously improve as well as benchmark historical performance.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Supply chain integrity and security: what are the risks? (Part II)

Posted on by

Paul Curwell, CPP, CFE, CISSP

Introduction

Part I of this article addressed the concept of Supply Chain Integrity, which is increasingly being bunded with security under the banner ‘Supply Chain Integrity and Security’ (SCIS). SCIS is part of the broader domain of Supply Chain Risk Management (SCRM), which is undergoing its own renaissance thanks to distruptions to global trade and commerce arising from the COVID-19 pandemic and the war in Ukraine.

Part II of the article is continued here examines what we mean by the concept of Supply Chain Security, and how the field is evolving in response to the world’s changing geostrategic climate.

Photo by Julius Silver on Pexels.com

Supply Chain Security – a rapidly changing field

Supply Chain Security has undergone multiple expansions in scope to accomodate the evolving global threat environment, changes in international commerce, technological innovation and increasingly the 4th industrial revolution. However, this evolution has largely gone unreported by commentators in the field, with many books and articles on the subject failing to reflect the broad scope of risks now recognised by critical infrastructure and governments globally. As an example, Supply Chain Security traditionally focused on two main risks:

Practitioners in this area have largely focused around logistics, with security programs focusing on controls such as shipping container seals and GPS vehicle tracking. The events of September 11, 2001, helped sharpen this focus, with the USA enhancing a scheme to help mitigate supply chain security risks posed by terrorism (known as C-TPAT). Examples of equivalent national schemes include:

Photo by Fabiola Ulate on Pexels.com

To coordinate a consistent global response and maintain safe and secure trade and commerce, the World Customs Organisation (WCO) introduced the SAFE Framework of Standards to Secure and Facilitate Global Trade in 2005, followed by the  Authorized Economic Operators (AEO) Programme in 2007. This perspective on supply chain security is reinforced by various global standards including ISO28001, which is intended to complement the SAFE Framework. However, whilst risks like terrorism, theft and product diversion all remain relevant, Supply Chain Security has evolved even further in the past ten years to reflect geopolitical threats in the current operating environment.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Consequently, the USA, UK, Canada and Australia have all issued updated guidance on Supply Chain Security, which has expanded significantly from theft, diversion and terrorism to encompass the more complete spectrum of what the US Government calls ‘Supply Chain Threats’:

In addition to ‘security’ focused risks, a range of frauds can also materialise in the supply chain. For some organisations, it makes sense to address security, integrity and fraud issues in the supply chain within the same business function or framework, whilst for others they are separated to completely different parts of the organisation. However, common risks here include:

I have already written about a number of these supply chain frauds in other articles on @ForewarnedBlog (refer hyperlinks above). Future articles will also cover aspects of this topic.

Risks and business processes with a nexus to Supply Chain Integrity and Security

In any organisation, there are a number of business functions which commonly touch on aspects related to Supply Chain Risk Management. SCIS programs should try to leverage these resources where possible, either through use of common team to execute a process or through smart process design, which means a common process is used to address multiple distinct business requirements.

Photo by Wilson Malone on Pexels.com

Examples here include due diligence and supplier audits which can be performed once and the results reused multiple times to comply with a range of regulatory obligations or business needs. Examples of risks with a nexus to SCIS that might be leveraged include:

When designing your supply chain risk management program, look across your organisation into other areas or teams (such as procurement, finance, sustainability and compliance) to understand work already performed and identify opportunities to streamline processes and systems.

In addition to reducing your operating costs, this approach could improve your supplier’s experience when dealing with you. Sometimes from a supplier’s perspective, a customer can just become too much hard work, leading to increased prices (in an attempt to encourage you to find an alternate supplier) or severance of the relationship overall.

A common example I encounter is where a supplier is asked for the same information multiple times by different teams from the same buyer, leading to wasted effort and frustration. Managing third party or supplier relationships are exactly that – a relationship – so there needs to be an element of give and take by both parties.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What’s the problem with conflicts of interest?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Photo by Brett Jordan on Pexels.com

What are conflicts of interest?

At their core, conflicts of interest are about integrity. ‘Conflict of interest‘ arise in situations where employees or third party legal entities such as vendors or business partners (including employees of those third parties) could be influenced, or where it could be perceived that they are influenced, by a ‘personal’ interest in carrying out their duty (Commonwealth Ombudsman 2017).

In this sense, ‘personal’ interest refers to perceived or actual benefits being derived, ranging from money to relationships or reputation. There are three forms of conflicts of interest (Commonwealth Ombudsman 2017):

  • Actual conflict – where a direct conflict arises between an individual or entity’s personal interest and their fiduciary duties
  • Perceived conflict – situations where others might perceive a conflict (even if an actual conflict does not exist)
  • Potential conflict – situations which in the future could give rise to an actual or perceived conflict of interest but have not yet happened

Are conflicts of interest fraud?

Conflicts of interest are considered one of four ‘corruption schemes‘ by the Association of Certified Fraud Examiners (ACFE), the other three being bribery, illegal gratuities, and economic extortion. However, unlike some types of fraud, an actual conflict of interest only becomes fraudulent if it is not declared.

Photo by Brett Jordan on Pexels.com

Declaring a conflict of interest (whether actual, perceived or potential) provides an opportunity for it to be managed, which could include the conflicted party recusing themselves from the conflicting situation or decision, or declaring this conflict to peers (such as where a board member is conflicted through multiple interests).

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

How do conflicts of interest arise?

Conflicts of interest arise can either intentionally or unintentionally (Commonwealth Ombudsman 2017) :

  • Intentional conflicts occur where an individual or legal entity knowingly puts itself in a conflicting situation. This could arise where a potential conflict is entered into with the full knowledge of all affected parties (and appropriately managed), or where the party gaining a personal benefit attempts to conceal the conflict (fraud)
  • Unintentional conflicts arise from poor management or awareness by affected parties, such as where employees do not recieve conflicts of interest awareness training, employers do not have conflicts of interest policies or require attestations.
Photo by Jopwell on Pexels.com

Declarations – a key part of conflicts management

Conflicts of interest are all about transparency, or the lack thereof. Declarations are a key component of managing conflicts. Irrespective of whether an employee, contractor, supplier or potential business associate, businesses need to understand what (if any) potential conflicts they may have and work through a process to evaluate them.

Typically, the easiest way of managing conflicts of interest is avoiding them, but this is not always possible. Where a conflict does or may arise, it must be evaluated – sometimes this process can be quite onerous.

The U.S. National Academies of Sciences (NAS) notes that “conflicts are not binary (present or absent)”, and that they “can be more or less severe”. The NAS identifies two factors to assist decision makers when evaluating a conflict of interest declaration, being (a) the likelihood of undue influence by the secondary interest, and (b) the seriousness of the outcome. The NAS presents this useful rubric for assessing confict of interests:

Likelihood of undue interestSeverity of potential harm
What is the value of the secondary interest?What is the value of the primary interest?
What is the scope of the relationship?What is the scope of the consequences?
What is the extent of discretion?What is the extent of accountability?
NAS (2009) – Chapter 2 Principles for Identifying and Assessing Conflicts of Interest

Depending on severity or perceived harm, treating a conflict of interest may require removing the conflicted individual / entity from the decision making process, or in other cases severing the business relationship entirely. Exactly how you need to manage a conflict depends on the situation (noting that in some cases there may be applicable legislation which will also govern this).

Good practice requires organisations to collect information on conflicted individuals or entities regularly – there is no set timeframe for this, but an annual declaration coupled with voluntary event-based disclosures by the affected party if they arise, makes sense for most organisations. Any more frequent and the program can be difficult to manage, whilst a longer gap between declarations can give employees the impression that conflicts aren’t important, as well as meaning the organisation is working on out of date information.

Once conflicts are identified and confirmed, managers of those employees or affected contracts (e.g. vendor managers) must be made aware of the conflict and charged with managing the risk in accordance with the organisation’s agreed treatment plan.

The challenge of detecting undeclared conflicts

Managing declared conflicts can be challenging enough for large organisations, however detecting them is something different altogether. Without a properly structured approach it is possible to spend a lot of time, effort and money without identifying anything conclusive.

Photo by cottonbro on Pexels.com

In the absence of an allegation, such as a tip-off from a whistleblower or competing vendor, organisations seeking to be proactive in detecting potential undeclared conflicts should focus their resources on the business units, processes, people or vendors of highest risk. The ACFE identifies three main types of conflict of interest scheme (Wells, 2007):

  • Purchasing Schemes – where a conflicted party manipulates the victim’s purchasing process to the benefit of the entity to which they are conflicted
  • Sales Schemes – where the conflicted party negotiates discounts or processes write-offs to benefit the entity to which they are conflicted
  • Other schemes – where the conflicted party diverts funds, clients / sales leads, and / or resources such as equipment from their employer to the entity to which they are conflicted for the conflicted entity’s benefit

Each of these categories of scheme is comprised of a number of typologies (perhaps best thought of as variations), some of which are more easily detected than others.

As you can see, conflicts of interest schemes can arise amongst employees in sourcing and procurement or sales and marketing roles; however, this is not exclusively the case. Conflicts of interest are generally quite complex to both detect and investigate. Typical methods of detecting conflicts include fraud data analytics (fraud detection) and investigative techniques including (Wells, 2007):

  • Supplier vetting or due diligence (and comparison of ownership data with employee and contractor names and other indicators, such as phone numbers)
  • Matching of supplier / vendor and employee identifiers (eg.g. Address, phone number data)
  • Identification of employees who are take up employment with a vendor after termination
  • Tipoffs and complaints, including from other disaffected vendors who are losing work as a result of the corruption scheme as well as employees who notice inconsistencies or favouritism

A well designed integrity program, inclusive of appropriate internal controls in key areas (such as purchasing), awareness programs and annual attestations can help mitigate the risk of these insider threats. Perhaps most importantly though, these same practices must extend to third parties, whether a vendor, business partner or other classification. A third party’s employees or contractors in positions which place the contracting entity at risk must be managed and monitored closely, sometimes with even more scrutiny than may be applied to the contracting entities staff – this decision is dependent on where the risk lies, and the inherent and residual rating of that risk.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Theft of fuel from HMS Bulwark – a diversion case study

Posted on by

Paul Curwell, CPP, CFE, CISSP

What happened?

This story broke in the media on 7 April 2022, with multiple articles claiming the theft of fuel from a high security Royal Navy base in the United Kingdom. According to Sky News, “the diesel was siphoned from a tanker in a heist that reportedly “ran for weeks” with most of it having been “flogged on the black market”. Some articles claim the fuel was being used to run diesel generators on HMS Bulkwark whilst it is alongside and undergoing refit.

HMS Bulkwark, Albion-class assault ship, Royal Navy, United Kindgom

Further details on the case are limited, other than the fact that the case is under invetistigation by the UK Ministry of Defence and that the alarm was drawn when a guard at the base became suspicious. Unfortunately the theft of fuel is a common occurance – as a perisable commodity which retains its value in the market, fuel is in high demand and can be readily converted to cash when diverted even in small quantities, or alternately consumed for personal use.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

A case of diversion or shrinkage? Motive is key

The fact that fuel was stolen means this is an offence of theft, or potentially fraud depending on whether deception was used to perpetrate the crime. Given events took place on a secure military base where it is reasonable to assume you cannot simply walk in or out, it is reasonable to assume an element of deception (i.e. fraud).

Either way, whilst details are limited in the public domain it is possible to develop further insights into the crime for the purposes of building this case study. For example, we know this scam went on for weeks. According to Wikipedia, the capacity of a fuel tanker truck ranges from 20,800 to 43,900 litres. Google reveals that the average capacity of an SUV on the road is up to 70 litres.

To provide an order of magnitude, 2% of 43,900 litres is 878 litres, which equates to around 12.5 full SUV tanks. If this scam was perpetrated once a day for 7 days, we are talking about over 6,000 litres of diesel being stolen each week. With current Australian diesel costs averaging $1.95 per litre as at 14 April 2022, this equates to illicit earnings of just under AUD$12,000 per week (AUD$624,00 per annum). To be clear, there is no indication of quantum or order of magnitude in the media, so this is hypothetical and indicative only.

AA van with Jeep SUV broken down in Kensington Gardens by David Hawgood is licensed under CC-BY-SA 2.0

So does this activity equate to shrinkage or diversion?

  • Shrinkage is an accounting term used to describe when a store has fewer items in stock than in its recorded book inventory (Shopify). Shrinkage can be the result of process or quality issues, as well as theft and fraud.
  • Product Diversion refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel (Curwell)

In practice, I tend to view shrinkage as being less organised and not ‘commercial’ in scale, whereas diversion is typically more organised and more commercial in nature. Given this has been going on for weeks as well as the volume and illicit revenue estimates outlined above, I would suggest this is clearly a case of product diversion. Further, in my taxonomy of product diversion risks, this is defined as “Product stolen from distribution or supply chain“.

How can these types of product diversion events be detected generally?

Product diversion shares similarities with other frauds. According to the Association of Certified Fraud Examiners (ACFE) Occupational Fraud 2022: Report to the Nations study:

  • 42% of business frauds globally are detected via tip offs,
  • 16% through internal audit, and,
  • 12% through management review.

Interestingly, 5% of cases were detected by accident – exactly how the Royal Navy guard discovered this diversion incident.

When you know what you are looking for, the application of fraud analytics techniques means product diversion can be detected provided you have the right data and you assemble and analyse this data in a manner that will allow you to identify potential indicators of diversionary activity.

Photo by Lou00efc Manegarium on Pexels.com

From my understanding of the situation, there are at least four primary records that, when ‘joined‘ together, could be used to identify similar product diversion cases pertaining to oil and fuel:

  • Order records – invoices and purchase orders should state the quantity of fuel ordered and the delivery dates. Given this is a military base, there are likely to be some sort of movement records to register in advance the potential delivery.
  • Tanker truck records – records of how many tanker trucks entered the base and their capacity (this might be captured at the front security gate for emergency management reasons in case of fire).
  • Fuel transfer records – these should record how much fuel was actually delivered from the tanker to HMS Bulwark, and would likely be maintained by the driver or the fuel tanker company’s order delivery system (most likely a smart phone app). Requirements to supply these to the customer could be mandated in the contract of sale.
  • Fuel receipt records – these would be maintained by the crew of HMS Bulwark, recording all details of the delivery including fuel quality records through onsite Quality Assurance testing performed by the ship’s engineers as well as the quantity of fuel recieved.

These four datasets could be collected by customers and monitored on a proactive, ongoing basis to identify discrepancies indicative of potential product diversion using data visualisation tools such as Tableau or even Microsoft Excel. Alternately product diversion schemes such as this may also be identified during distributor audits or compliance investigations.

What other preventative and detective controls might be relevant in this scenario?

In addition to the data points outlined above, a range of other preventative and detective controls could be used to identify potential diversion. These measures may be more expensive than the ‘books and records’ approach outlined above, hence their application should be risk-based. Relevant examples include:

  • Accurate calibration of measures to calculate the volume of fuel delivered – just like petrol stations, fuel delivery measures need regular re-calibration, and in some instances may be tampered with to under- or over- deliver. There may be two such devices in this example – (1) the tanker truck and (2) HMS Bulwark.
  • Quality checks should be performed by the customer to ensure the diesel is appropriate quality and that product substitution has not occured (e.g. fuel diluted with another substance, fuel sitting on top of a heavier substance to give the appearance of conformance).
  • GPS monitoring on the tanker truck allows both the vendor and customer to monitor for unscheduled stops, which could be indicative of an accident or unscheduled delay, cargo theft (e.g. hijacking), or collusion with organised crime elements. These systems typically generate an alarm or alert in an operations centre.
  • IOT sensors may also be attached to fuel lines or guages, to confirm quality and volume of product in real-time as it is decanted from the tanker to the fuel storage tank.
  • High-value or sensitive facilities should be subject to a range of physical security measures.
  • Third parties loitering in a secure area, either pre- or post-fuel delivery, are also indicative of suspicious activity that would warrant further investigation (as allegedly occured in this case)

As you can see, the Internet of Things (IOT) and the proliferation of sensors in daily life provide excellent opportunities for detecting product diversion in near real-time.

Lessons learned – what to do about it?

Performing a thorough anti-diversion risk assessment, and then implementing appropriate detective measures to identify potential diversion incidents early, before any substantial loss is the foundation of a proactive approach to managing diverison risk. The data required for detecting this type of diversion is likely to be readily collected in most organisations, and simple tools such as a spreadsheet can help identify anomalies. Detecting diversion in your data can be easy and cost-effective when you know what to look for.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Vendor Fraud: what is it?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Are there fraud risks associated with vendors?

Every public and private sector organisation today has a requirement to outsource some or all aspects of their operations, whether it be purchasing supplies or equipment, engaging a managed (outsourced) service provider to run its IT helpdesk or security operations centre, our purchasing tangible products or raw materials for its operations. Managing these capabilities takes a lot of effort and typically requires a specialist team aside from the procurement function to manage key relationships day to day.

Photo by fauxels on Pexels.com

We all know that relationships are difficult by their nature, and business relationships are no different to those in our personal lives. Sometimes, however, relationships deteriorate substantially to the point of potential litigation or where those relationships may be severed. Common triggers for this includes upstream supply or quality control issues, breaches of confidentiality, and fraud.

What is fraud?

The Commonwealth Fraud Control Policy defines fraud as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’. As defined here, a benefit can be non-material or material benefit, tangible or intangible. Benefits may also be obtained by a third party. Examples of fraud relating to vendors include:

  • theft
  • accounting fraud (e.g. false invoices, misappropriation)
  • causing a loss, or avoiding and/or creating a liability
  • providing false or misleading information
  • failing to provide information when there is an obligation to do so
  • misuse of assets, equipment or facilities
  • making, or using, false, forged or falsified documents
  • wrongfully using confidential information or intellectual property.

Business to business fraud is a problem which remains largely off the radar – many businsess have problems with their vendors or business partners, but these rarely end up in court or in the media. Frequently, even when a business relationship goes wrong, the parties to the relationship still need each other and will work to rebuild trust that has been lost where an alternate supplier or partner is not available.

One important note on vendors is that they form part of your organisation’s inner circle: they are trusted insiders who, by virtue of this status, have privileged access to your organisation, its products, information, services, systems, facilities and people beyond that of the ordinary public. It is critical that vendors be considered as part of your Insider Threat Management Program, as well as in your Supply Chain Security, Integrity and Fraud Program. Where there are overlaps in coverage in these programs, this should be harmonised.

Associations with irreputable vendors can also damage your organisation’s reputation, and potentially introduce the risks of civil or criminal action as well as shareholder activism. One example here is where a vendor is involved in modern slavery, and your organisation’s due diligence program has not detected this in advance.

Photo by Rolled Alloys Specialty Metal Supplier on Pexels.com

What is the vendor fraud landscape?

Vendor fraud can be defined as fraud involving a vendor that occurs at any point in the supplier process, which is:

  • Supplier selection
  • Contracting
  • Operations
  • Termination

The Association of Certified Fraud Examiners (ACFE) notes that vendor fraud can occur in anything from billing to delivery of supplies, and can be broadly grouped in two categories. Vendor frauds involving trusted insiders, such as employees and contractors, can occur indepedent of the vendor or in collusion with them. There are also various types of vendor frauds perpetrated without the involvement of insiders. These range from what we might call ‘soft frauds’, such as subtly charging the wrong hourly rate or claiming travel expenses when not applicable, through to more serious problems like product substitution. A high level taxonomy of vendor fraud is shown below:

Vendor frauds involving insidersExternal vendor frauds
Billing schemes (invoicing)Labour fraud schemes (for outsourced services)
Corruption schemes (e.g. kickbacks, bribery, conflicts of interest)Travel fraud schemes
Fraud schemes involving materials
Shell companies and pass through schemes
Hidden subcontractor schemes
ACFE – high level vendor fraud taxonomy

As you can see, there is a wide spectrum of vendor frauds – the ACFE’s training course on vendor fraud, referenced below, is a great starting point for someone new to this area. Some are specific to particular types of work – such as labour and travel fraud schemes more prominent with the outsourcing of services.

Vendor fraud versus supply chain integrity: what’s the difference?

As the focus of @forewarnedblog is on protection and integrity of critical technologies, supply chains, IP, products, brands and marketplaces, I would be remiss if I did not cover vendor fraud schemes involving materials and ‘supply chain integrity’ in more detail.

The term ‘supply chain integrity’ is being used increasingly in common language to reflect whether business (as opposed to retail consumers) buyers have ‘got what they paid for’ in relation to materials (products). As consumers, when we buy a product (the material) we expect it to meet certain quality or provinance (origin) standards, such as those advertised by the seller or manufacturer. In countries like Australia, many of these requirements are also enshrined in consumer law. If a product breaks or fails, or if it is poor quality such as paint peeling off, then we feel disappointed and probably worse. It is business’ responsibility to make sure this outcome doesn’t happen for its consumers, which is where a Supply Chain Integrity program comes in.

A Supply Chain Integrity program aims to “mitigate the risk end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted” (The United States Pharmacopeial Convention, 2016). These programs apply to both buyers and sellers, but the focus differs depending on where you sit in a supply chain.

Photo by cottonbro on Pexels.com

The overlap with vendor fraud lies with what ACFE refers to as “fraud schemes involving materials“, where risks such as product substitution (a buyer pays for a product meeting one set of specifications, but it is substituted for a cheaper, lower quality, alternate or less functional model which might be less reliable or functional for the user). Typically, the trust a consumer places in a product or service is also wrapped up in the seller’s brand – if we see a product for sale from a brand we trust, we might buy it without question. Commonly, Supply Chain Integrity is bundled with Supply Chain Security into a consolidated ‘Supply Chain Integrity and Security’ program (SCIS), as seen in the global pharmaceutical industry.

Typically, an SCIS program focuses on both upstream supply (i.e. ensuring substandard products or raw materials do not infiltrate your supply chain as an input to say manufacturing), and downstream to ensure that counterfeits and diverted products do not enter a supply chain through nodes such as authorised distributors. In contrast, vendor fraud programs are typically narrower in scope.

What does this mean in practice?

In my opinion, if you are in an industry with serious life, safety or reputational (‘brand’) risks attached to the quality of materials provided by your suppliers, using a vendor fraud program to manage product substitution fraud risks may not be sufficiently robust or rigorous. Typically these programs focus on whether the vendor supplied a substandard product (i.e. may have defrauded you in terms of your sourcing, purchasing or procurement process) rather than a more holistic program aimed at improving the security and integrity of your supply chain overall (i.e. all products across all vendors). For these industries, a holistic Supply Chain Integrity and Security program (that also addresses the vendor fraud risk of product substitition) is more appropriate.

Photo by cottonbro on Pexels.com

We already see this situation emerging in high reliability industries (e.g. mass transport, pharmaceuticals and medical devices, automotive and aerospace). In Australia, this area is becoming increasingly regulated with amendments to Australia’s Security of Critical Infrastructure (SOCI) Act which covers eleven critical infrastructure sectors and introduces new rules for managing supply chain integrity and security hazards. There’s a lot to unpack in this topic – I will cover some types of vendor fraud, particularly product substitution (sometimes called ‘product fraud’) in future posts.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Upcoming changes to private investigator and security licencing in New South Wales

Posted on by

Paul Curwell, CPP, CFE, CISSP

Australia’s path to security industry regulation

Australia has had legislation to regulate the security industry since the 1980’s, and was introduced to establish minimum qualification and character requirements (including criminal history checks) and to try to prevent infiltration of the sector by organised crime (see Prenzler and Sarre 2012).

This is State or Territory-based legislation: there is no regulation of the private security industry by the Commonwealth, and arrangements involving Australian Government security clearances and the Defence Industrial Security Program are completely separate. State police predominately manage security licencing in Australia, however there are exceptions where this role is performed by a state’s Office of Fair Trading. Legislation in each state or territory contains provisions for mutual recognition of licences held in other Australian jurisdictions, as well as limited provisions for temporarily working in other states.

Photo by Rijan Hamidovic on Pexels.com

Current legislation in NSW

In New South Wales (NSW), Australia’s most populous state, the NSW Police currently manages licencing for Private Investigators and Security Consultant’s under two pieces of legislation as at the time of writing:

  • Security Industry Act 1997 (NSW)
  • Commercial Agents & Private Inquiry Agents Act 2004 (NSW)

The legislation establishes licencing requirements for individuals (known as ‘operator licences’) and employers (known as ‘master licences’). In 2016, the Security Industry Amendment (Private Investigators) Act 2016 No 40 (not commenced) was passed to establish the legal basis for these changes, however there was no date when this was to take effect until October 2021, creating an element of confusion for licencees.

Effective 1 July 2022, licencing of private investigators will be incorporated into the Security Industry Act. In practice, this means professionals who offer both private investigator and security consulting services go from requiring two master and operator licences to one of each category. The addition of Class 2E to an operator’s security licence authorises the licensee to act as a private investigator or act in a similar capacity. These improvements to regulations, warmly welcomed by me as a holder of both licences, will streamline compliance.

Photo by Noelle Otto on Pexels.com

Individual (operator) licencing in Australia

In Australia, it is common to find individuals working in roles that provide services which involve private investigation and security consulting within the same engagement. An example might be where an investigation is performed into theft, which also results in advice on how an organisation can improve its internal controls to prevent theft in the future.

Cybersecurity professionals are not explictly included or excluded from the need for operator licencing in Australia, which means some people are licenced and others are not. In my view, licencing of cybersecurity professionals is overdue, this gap creates confusion and inconsistency. It is reasonably safe to assume that some unlicenced activity is being undertaken in Australian industry.

The scope of licenced security consulting and private investigation services in NSW are as follows:

Private Investigatorprivate investigator means a person who is employed or engaged for the purposes of either or both of the following:(a)  the investigation of persons, being any activity carried out by a person on behalf of a second person (not being his or her employer) that involves finding a third person or investigating a third person’s business or personal affairs,
(b)  the surveillance of persons, being any activity carried out by a person on behalf of a second person (not being his or her employer) that involves the surveillance of a third person.
Security ConsultantSecurity Consultant (licence class 2A) —authorises the licensee:
(i)  to sell security methods or principles, and
(ii)  to act as a consultant by identifying and analysing security risks and providing solutions and management strategies to minimise those security risks,
Definitions of activity licenceable under NSW law

To be eligible for the above licence, individuals must hold the relevant qualifications, as well as satisfy relevant employment experience and character requirements (including undergoing fingerprinting by police).

Performing the above services without a licence is a criminal offence in all Australian states and territories. The maximum penalty for “carrying on a security activity” unlicenced in NSW is a fine of 500 penalty units ($110 fine per penalty unit, so $55,000) or imprisonment for 2 years, or both (refer legislation).

Employer (master) licencing in Australia

Holding a master licence means organisations can provide licensed security operatives to carry out security activities in NSW (i.e. including security consulting services and, as of 1 July 2022, private investigation services). Master licence holders must ensure that only appropriately licenced employees provide security services. There are three categories of master licence holder under NSW law:

  1. Individual – individuals registered as a sole trader (or partnership) who wish to either carry out security activities in a self-employed capacity with a Class 1 or Class 2 security operative licence, or provide security operatives under an ABN
  2. Corporation – ASIC-registered corporations, excluding trusts and partnerships, that wish to provide security operatives to carry out security activities
  3. Government Agency – government agencies that wish to provide security operatives to carry out security activities.

A master licence holder is subject to a number of prerequisites as well as character checks of directors and ‘close associates’. As with individual licences, there are penalties for providing unlicenced security services. These are currently 1,000 penalty units in the case of a corporation ($110,000) or in the case of an individual, 500 penalty units ($55,000) or imprisonment for 2 years, or both.

Photo by Lukas on Pexels.com

How to check an individual or business is licenced in Australia?

The regulator for security industry and private investigator licencing in each state or territory manages their own register of licencees. In NSW, this register can be queried by members of the public here: Service NSW.

As with any industry, there are a range of practitioners from those offering highly professional, highly skilled services through to those with substantially less experience. Prospective buyers of these services should perform appropriate due diligence.

Further reading:

  • New South Wales Police (2021). Fair Trading seeks feedback on proposed Commercial Agents rules, SLED News, 28 October 2021, www.police.nsw.gov.au
  • New South Wales Police Security Licencing and Enforcement Directorate
  • Prenzler, T. and Sarre, R. (2012). The Evolution of Security Industry Regulation in Australia: A Critique. International Journal for Crime, Justice and Social Democracy, 1, 1, 38-51.

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.