The Rise of the ‘Virtual’ Client?
Factoring and discounting is easy, or so I was told some 37 years on my first day in the industry. This was explained as “…there are only two rules we have to follow to ensure success...”
Rule number 1 - is that we only need three things in place for a ‘perfect’ secure relationship.
· A good client selling
· Good products and services to
· Good debtors.
Rule number 2 – only finance invoices that will be paid.
They were good rule then and they are good rules today. So that’s easy isn’t it, stick to those ‘simple’ rules and we can’t go wrong!
Of course that’s not the whole story. We would like to think it was still that simple but we are living in more and more complex times. And we still have to cope with 1,000’s of potential problems not least being the ‘fraudulent’ (breaches of the agreement either deliberate of unintentional) behaviour of some clients. But we actually manage to do this quite well. OK we get caught from time to time – but we are in a ‘risk business’ and without taking controlled risks we would not be maximising our potential returns.
To control all these risks we employ a range of protective methods.
· New prospect assessment and survey
· Debtor assessment in terms of creditworthiness
· Operational teams to verify debts – prior to financing
· Auditors to examine past transactions and to retrospectively ensure that clients have met their obligations and will continue to into the ‘perceivable’ future….well at least for the next three/six months until we audit again!
· Account managers and their operational colleagues to monitor activity day by day.
In spite of all this activity we have to recognise that we have ‘built-in’ gaps in this risk protection . And some of these gaps stem from the very protection mechanisms that we employ in particular our dependence on key activities..
· We depend on random/systematic verification - but we can’t and don’t check everything.
· We depend on credit rating agencies to give us the correct information on debtors. And in these difficult economic times even that can lack even short term consistency
· We depend on our ability to correctly interpret the increasingly complex information we are given…even bringing in sophisticated computer risk management systems to help with this task
· And we actually place considerable trust in our clients to provide correct information in the first place. Only reacting when they are proven to be untrustworthy.
At the very heart of all our operational activity the majority of our current protection activity is based on a small number of fundamental beliefs
· We know who our clients are, both the business itself and owners/directors – and where they are
· Likewise we know their debtors and where they are
· And that third party, independent supporting evidence is good in terms of clarifying our risk
But our traditional belief in these fundamentals must start to be challenged as the continuing and inexorable development of technology on all fronts is confronting us with new problems. With those of the virtual client already starting to appear.
The Virtual Client?
Definition - vir·tu·al/ˈvərCHo͞oəl/ Adjective Not physically existing as such but made by software to appear to do so |
This definition, if applied to many of our existing protection fundamentals, blows us completely out of the water when dealing with the increasing rapid development of virtual technology.
If I start with just two ‘virtual’ areas that we have already been living with for some time.
Logistics tracking – a virtual on-screen signature evidencing that a delivery has been made to a debtor. Almost anyone today using a major courier/transport company will have access to their logistic tacking systems. We largely accept that it is good solid approach to first line security to obtain both username and password for such systems used by our clients and use the computer signature/logistic tracking information as independent/third-party evidence of the delivery of the goods.
However we have already seen at least one client (themselves a courier company) use this very ‘independent sign off’ as the basis of their attempt to defraud their discounter by delivering and obtaining signatures for hundreds of empty envelopes. The online delivery receipt signature being taken by the discounter as verification of the delivery of far more valuable goods and hence bigger invoicing. In this case the client forgot to change the delivery weight/size so it was relatively easy to spot the problem. But perhaps next time, a slightly smarter fraudster, will ensure that the weights will also tie in with the fictitious delivery information.
Bank Statements
A normal check at the month end reconciliation and at audit is to review a client’s bank statements. However once again we see technology playing its part in assisting the fraudster.
Only last year I encountered a client who had very simply downloaded his bank statements from his online facility and loaded them into Excel. These statements looked almost identical to the ones he could have printed off – including the banks logo and address details.
He then changed the figures to confirm that payments had been cleared to VAT and PAYE and that there was no banked cash. These ‘edited’ statements were sent into the discounter as part of the month end reconciliation information, and had been checked by the auditor a few months earlier.
In fact there was considerable amount of banked cash and no payments had been made to VAT or PAYE. By the time these ‘adjustments’ had been spotted the client was in liquidation and all the typical problems of an unexpected client collapse were stoically being tackled by the discounter.
The virtual figures had been simply/easily manipulated – whilst the real figures (original bank statements) would have warned the discounter of the growing pressures on the client. An even a fairly experienced auditor being taken in by them.
You might be thinking that we spot these type of problems quite well these days, and certainly with the bank statements there was a probably a high contribution of negligent checking on behalf of the discounter. Well I can tell you that you are wrong.
Yes we know about them but we are not as good as we think we are in disseminating this type of information to those who need to know about this type of potential problem area. In reality our security management teams spend a considerable amount of time re-inventing the wheel - normally after it has fallen off – in rediscovering risks we already actually know about and trying to come up with a way of identifying them and minimising their impact on security. We need to ensure that all risk data including intelligence on failed clients collect outs i.e. what went wrong, what helped/hindered the collect out process etc. - is fully, 100%, circulated to everyone who may be in any way responsible for an element of security protection.
That is today but let me project a few more issues into the melting pot, all of which are supporting an increasing movement towards the virtual client.
The Virtual Customer - EDI Process Systems
Many companies, certainly the larger ones are already rapidly moving towards paperless systems. With all those key components of our security checking routines now being largely held in ‘cyberspace’ or at best on a computer somewhere within our client companies. The days when an auditor could simply look at original source documents is disappearing very very quickly.
Once again an example from recent weeks. I carried out an audit on a very large group of companies with a Group turnover in excess of £100m a year. There are 4 group companies which are all confidentially discounted.
Their largest group company has a single customer, a major international retail chain. This subsidiary of the client sells around £25m worth of product to them each year so about 25% of group turnover.
· There are no hard copy purchase orders.
· There is a simple master contract agreeing a price structure for the next 12 months which contains no contractual problem areas.
· Beyond that individual orders are processed on the customers own EDI system which the client has login access to. When I visit they were not even bothering to hard copy the order screens as a record, they were simply downloading that days orders and sending them on a spread sheet printout to their processing/manufacturing department. They use only the customers reference number having no internal references
· The customers EDI system is used by the client to advise that an order is ready for collection.
· The customer sends their own haulier in to the client to collect the goods. The driver scans base data off packaging labels applied to each element of the delivery by the client. Then later in the day on the customers EDI system it shows that the goods have been collected.
· The clients credit controller, does not know were the payment office is, does not have an email address nor any contact names or a telephone number for the customer’s account office. Any query and there are almost none is entered into the customers EDI system.
· Payment notifications are made – yes you guessed it – on the customers EDI system. And at last there is a bit of paper we can see - the payment on the client’s bank statement.
The client is very happy with the arrangement it works easily for them and they get payment quickly and their customer is happy as they have control over every aspect of their supply process chain.
The discounter is also generally happy, long established profitable client albeit with a very well rated customer who has a manageable concentration when set against the whole group turnover and who pays very well in - around 35 days. Well we assume that it was the customer that made the payments but we don’t actually know for sure!
So this is a good client and we should not be overly concerned. At one level I agree wholeheartedly with that view - however we are burying our heads in the sand if we don’t start to read the message that such a relationship is starting to demonstrate.
We are in truth looking directly at an embryonic virtual customer.
And what would happen if the client were to fail?
All – I repeat all – of the information we would need to prove order and delivery is held on the customers computer system not the clients. Please form an orderly line for those who would like to volunteer to run a collect-out if before their failure this client fell out with their customer. What no takers???
Even moving outside the ‘virtual world’ we have issues on some of our base security routines. The only verification we have is that given via the customers EDI system and that is only accessible at the client’s premises. The only way we know a payment has been sent is via the customers own EDI system etc…etc…etc…
But it’s a good client! Yes they are all good clients until they fail or try and defraud us.
So, to strengthen our security should we now be making it an acceptance condition that we want access to the EDI system (usernames/passwords) and how would this impact on the client/customer relationship particularly under a confidential agreement?
The Cloud
One of the most recent sexy development areas in the techno world is the growth of ‘The Cloud’. Microsoft have a very interesting explanation- click here to visit Microsoft’s explanation.
Simply the concept of the Cloud is that no longer do companies need to own or run their own computer programmes nor do they need to save/back-up their own data – it can all be held in the ‘Cloud’.
So we have a potential scenario in which our clients no longer have their own in-house accounting software, it is run in the ‘Clouds’. And their backup data is also held there. We will have no rights to access that data (unless again we make it a condition of acceptance and obtain login information) and in the event of a fraud or even a simple client failure what will be our route to access the data we may require for collect out purposes. And how could we stop a fraudster at the touch of a computer key from anywhere in the world accessing their accounting data and destroying it all! Remember it may also be held in a jurisdiction that has a very different legal system to our own.
We will at least start to need some degree of notification to the cloud managers/owners that we have some rights of access to that data.
And then we have the communications industry also doing their bit to assist our virtual clients.
Virtual / Ghost Telephone Systems
For a number of years you have been able to buy from small internet based companies a virtual telephone number for your mobile phone. These are real land-line phone numbers from any geographic location you wish. They are a marketing tool. You have a local number so you look like a local even in an area where you don't have premises. They cost less than £15 to set up and less £5 a month. Short term contracts can be set up within minutes on line.
And then in May this year one of the major players in the mobile phone world stared to advertise these numbers in the national press.
So now it is impossible for us to know where we are calling even using a landline number when carrying out our verification phone calls – it could be our friendly fraudulent client sitting on a beach somewhere confirming that his own debts are genuine. Once again the virtual world has ridden a horse and cart through our basic security protections.
Virtual Companies
A virtual client would have only an internet home (their cloud), would sell from an internet marketplace have contacts only via a virtual telephone number and use EDI order processing and invoicing.
And there have already been virtual company frauds. In SecondLife (a whole virtual world) there was a bank that was set up, it then proceeded to scam people out of their money and then dissolved leaving no trace…
How long before we have the virtual client...and perhaps even more importantly the virtual fraudster?
The Virtual Fraudster
· They will set up a company which you then discount. An element of the company is genuine but what comes next is not.
· In addition to all the normal tools of the criminal fraudster, false addresses, identity etc
· They could set up a new customer account using all the details of a well known major company name.
· A large credit / funding limit will almost certainly be granted on this ‘undoubted’ customer. This customer will grow quite quickly; they can even offer this development of new business as the reason for discounting.
· They will set up an EDI ordering and processing system to send orders into their company
· All their accounting data is held in the Cloud
· They will have a process to verify delivery via EDI or scanned information
· Payments will be good as they route payments from the discounter back into customer payments
· Verifications will only be possible, if at all, via a landline number – which is actually one of a series of mobile phones held by the client.
· And then one day neither they, their records not your money are there…
What Should We Be Doing
One of the main reasons I have written this ‘thought starter’ is to encourage dialog on these emerging threat areas. So I certainly don’t have all the answers although there are some areas that I feel will need more attention than perhaps we have given them in the past.
· Understanding our client’s business dynamics in more details being the first of these areas. Particularly if they are in any way already involved in any virtual activities.
· Client’s papertrail should be constantly monitored for changes towards virtual evidence
· Any EDI system that they are involved with needs a careful risk assessment carried out and action taken as appropriate to minimise any of risks identified.
· The client’s accounting systems and practices including their data storage and backup arrangements must also be better understood and again a risk assessment made again the scenario of the client failing.
· More attention must be given to how we undertake or base security checks – being more thoughtful and inventive in respect of verification processes for example
· I am certain that there are lots more ideas and I look forward to seeing some of the views on the 60 Minute Auditor blog.
But let me finish on a bit of positive note – as with many problem areas there may well also be opportunities for us to develop.
The one that jumps to the front of my mind is that perhaps we should be offering access to ‘Cloud’ based software and data storage as an additional service to our clients/prospects. Then at least we will have a degree of contact / control with the data that we may require should things go wrong and it could also be a new income stream…
Robin Peers
