©2015
MANAGING NEW FRAUD RISKS IN AN
ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
Procurement is the function most commonly targeted by fraudsters. Many organizations have
already transitioned to, or are considering moving to, an e-procurement (e-tendering) system in
the hopes of reducing fraud risks. However, while certain risks are reduced in an electronic
environment, others simply change and new ones emerge. This session will use real-life cases to
explain how contract and procurement fraud risks change when an organization moves from a
paper-based system to an electronic one.
You will learn how to:
Describe the ways an electronic environment can be used to replace a paper-based system.
Recognize how fraud risks change and which new fraud risks emerge when converting from
to an e-procurement (e-tendering) system.
Identify the key preventive and detective controls that are necessary in an electronic
purchasing environment.
GERARD M. ZACK, CFE, CPA, CIA, CCEP
Managing Director
BDO Consulting
Bethesda, Maryland
Gerard Zack is a managing director in the global forensics practice of BDO Consulting and is
based in the Washington, DC, area office. He has more than 30 years of experience providing
fraud prevention, detection, and investigation services, as well as forensic accounting, fraud risk
assessment, and risk management. He also designs fraud awareness training programs for
organizations and evaluates corporate anti-fraud programs. His experience also includes
numerous financial statement, compliance, internal, and vendor audits.
He has worked with businesses in many industries, nonprofit organizations, and government
agencies throughout North America and Europe. Prior to joining international firm BDO, he ran
his own anti-fraud services firm, Zack P.C., since founding the practice in 1990. Before 1990, he
served as an audit manager with an international public accounting firm. Along the way, he took
a two-year hiatus from his practice to serve as chief operating and compliance officer for an
international scientific organization headquartered in Washington, DC.
Mr. Zack is a Certified Fraud Examiner (CFE), Certified Public Accountant (CPA),
Certified Internal Auditor (CIA), and Certified Compliance and Ethics Professional
(CCEP), and he holds a Certificate in Risk Management Assurance (CRMA). In addition to
serving clients, he has served on the faculty of the ACFE since 2006, providing anti-fraud
training in North America, Europe, Africa, Asia, and Australia. He is the 2009 recipient of
the ACFE’s James Baker Speaker of the Year Award. In 2013, he was elected to serve a
two-year term on the ACFE’s Board of Regents for 2014–2015.
©2015
Mr. Zack is the author of three books published by John Wiley & Sons: Financial Statement
Fraud: Strategies for Detection and Investigation (2013), Fair Value Accounting Fraud:
New Global Risks and Detection Techniques (2009), and Fraud and Abuse in Nonprofit
Organizations: A Guide to Prevention and Detection (2003). He is also the principal author
of the ACFE course “Uncovering Fraud with Financial and Ratio Analysis,” and he has
contributed to several other course manuals. He is the author of numerous articles on fraud-
related topics and is a highly sought speaker at international and national conferences,
including the Annual ACFE Global Fraud Conference and those sponsored by the AICPA
and many other groups.
Mr. Zack earned his M.B.A. in finance at Loyola University in Maryland and his B.S.B.A. in
accounting from Shippensburg University of Pennsylvania. He can be contacted by telephone at
+1 301.634.0279 or by email at [email protected].
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 1
NOTES If there is one word that can consistently be used to
describe fraud risk management, it is change. Fraud risks
are in a perpetual state of change, and our fraud risk
assessments and risk mitigation strategies have to keep
pace. Organizations that fail to do so inevitably suffer the
consequences in the form of fraud, corruption, and
compliance breaches. Some of the key drivers of change
that impact fraud risks are:
People
Strategy
Competition
Economic conditions
Regulatory environment
As each of these drivers change, the fraud (and other) risks
our organizations face also change, sometimes drastically.
Another driver of fraud risk, and a significant one, is
technology. And technology is the category in which this
session’s fraud risks exist.
Developments in technology represent both assets and risks
to most organizations. Many developments enable
organizations to work more efficiently, and some improve
security. Improvements in data analytics have significantly
enhanced our ability to monitor activities and detect fraud
and noncompliance in a timely manner in recent years.
However, fraudsters also capitalize on technology. As
technology has changed, so too have fraud schemes. The
chart below depicts a simple progression of frauds as the
tools used to perpetrate them have evolved:
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 2
NOTES Type of Fraud Example
Simple fraud using
simple tools
Subject uses a hammer to break into
a warehouse to steal inventory
Complex fraud
using simple tools
Kickback scheme in which a
procurement employee secretly
opens offers that have been received
and leaks information from those
offers to the preferred vendor
Simple fraud using
complex tools
Employee inflates an expense
reimbursement claim by scanning
original supporting documents, using
photo editing software alters
amounts, and submitting the inflated
claim
Complex fraud
using complex
tools
Undisclosed conflict of interest
scheme in which a purchasing
employee establishes an online shell
company, circumvents e-tendering
by inserting e-bid directly into the
system, then submits fraudulent
invoices electronically
Fraudsters generally utilize developments in technology to
perpetrate frauds in one of two manners:
1. By developing tools of their own to perpetrate crimes
using the latest technology
2. By exploiting overlooked weaknesses in our systems as
we deploy new technology
The second manner is the one that provides the greatest
surprise to organizations, when they realize that they really
did not fully assess all the risks when a new technology
was implemented.
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 3
NOTES In particular, this session will focus on the increasing trend
toward electronic tendering/procurement.
Why e-Tendering?
Globally, many government agencies and large
corporations have converted from an entirely paper-based
procurement/tendering process to one that is wholly or
partly electronic. Some of the most commonly identified
potential benefits of e-tendering include:
Increased visibility of procurement opportunities, which
opens up the tender to a broader range of vendors and
leads to an increased number of offers
Reduction in the time and effort involved by the
purchaser in preparing, publishing, and processing
tenders, as well in receiving offers
Reduction in procedural mistakes caused by human
error during the procurement process
Increased degree to which automation can be used in
the evaluation of offers
Improved transparency and reduce the risk of
corruption and fraud
I’ll come back to the final potential benefit later, the
potential for reducing the risk of fraud and corruption. But,
first, a few additional basics about e-tendering.
Generally, there are three levels of e-tendering that can be
utilized:
1. One-way communication: Vendors register online and
download RFPs and so on, and receive other
communications from purchaser via site, but submit
paper proposals.
2. Two-way communication through selection: In
addition to the preceding, vendors submit questions to
purchaser, receive responses to questions, submit
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 4
NOTES proposals, and are notified of selection by purchaser, at
which point e-system is no longer used.
3. Complete two–way communication: In addition to the
preceding, the contract with the winning bidder is
executed electronically, as are all subsequent
modifications and communications.
Each of these three levels may be implemented using one
of the following models:
1. Dedicated e-Tendering System: The procuring
organization owns and controls the entire system
infrastructure that is used throughout the process.
2. Partial Outsourcing Model 1: The procuring
organization purchases and owns the e-tendering
system, which is managed by a service provider.
3. Partial Outsourcing Model 2: The procuring
organization uses the e-tendering system of a service
provider, who owns and controls the infrastructure.
4. Full Outsourcing Model: The procuring organization
registers and uses the service provider’s portal for e-
tendering, without any direct intervention from the
service provider. The service provider is basically a
platform provider, while the management of the process
(i.e., the actual tendering activities) remains in the
hands of the procuring organization.
Which approach an organization takes in implementing an
e-tendering system depends on many factors, including its
needs, its internal capabilities to operate and maintain a
system, and others. Likewise, the degree to which an
organization is vulnerable to some of the fraud risks that
will be explained in this paper is also dependent in part on
which level and model is utilized.
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 5
NOTES The Tendering Process
Converting from paper to electronic systems affects some,
but not all, phases in the procurement cycle. So, our
starting point is to understand what the procurement cycle
entails.
The four phases in the procurement/tendering process, and
the fraud and corruption schemes most commonly
associated with each, are as follows:
Presolicitation Phase
Need recognition schemes
Bid specification schemes (e.g., bid tailoring)
Unjustified sole sourcing
Bid splitting
Bidder prequalification schemes
Solicitation Phase
Leaking of information
Inappropriate Q&A communications
Manipulation of bid receipt
Back-dating receipt of bids
Collusion among bidders
Evaluation and Award Phase
Bid manipulation
Improper disqualification
Unjustified changes in bid specifications or award
criteria
Post-Award and Performance Phase
Change order abuse
False billings
Product substitution
Non-conforming goods or services
Cost mischarging
Whether an organization uses a paper or electronic system
does not impact the risks of each of these schemes equally.
Some risks would be unaffected by a switch from paper to
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 6
NOTES electronic system. For example, a need recognition scheme,
in which a perpetrator simply creates a phony need and
then makes a purchase, would not be significantly impacted
one way or the other (increasing or decreasing the risk) by
moving from paper to electronic. Likewise, bid splitting to
circumvent a monetary threshold is likely to be equally
effective in circumventing an electronic system as it is a
paper system.
Another way of looking at the deployment of new
technology is to consider whether the utilization of a new
technology would:
Eliminate a particular fraud risk
Reduce the likelihood of a fraud risk
Alter the characteristics of an existing fraud risk
Increase the likelihood of an existing fraud risk
Create a new fraud risk
Most of the attention devoted to e-tendering has dealt with
its potential for reducing or eliminating certain risks. But,
what about the third through fifth categories above? The
remainder of this paper will explore risks that could be
overlooked when implementing an e-tendering system. For
purposes of this session, fraud risks will be classified into
two categories:
1. The latter stages of the presolicitation phase (involving
vendor awareness of tenders, vendor registration, and
prequalification) and early solicitation phase (up
through the posting of bidding documents and
subsequent Q&A)
2. The latter half of the solicitation phase (beginning with
the submission of bids by vendors) through the
evaluation phase
It is in these two areas, overlapping three of the four
procurement phases outlined above, where e-tendering
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 7
NOTES fraud risks can be differentiated from their counterparts in a
paper environment.
Schemes in the Presolicitation Phase up Through
Posting of Bidding Documents
The primary risks in the presolicitation phase that may
differ in an electronic environment from a paper involve
the following steps that may occur prior to any tenders
being posted by the purchasing organization:
System access by potential bidders
Registration by potential bidders
Prequalification of vendors
Most schemes in the presolicitation phase are designed to
limit access to preferred bidders, at the exclusion of other
qualified bidders.
Pre-qualification is a step in the procurement process in
which bidders are subject to preliminary screening, limiting
the pool of bidders whose bids will be accepted and
considered. Common prequalification criteria include:
Number of years in business
Annual turnover
Level of insurance coverage
Regulatory certifications and/or licenses
Direct v. indirect provider of materials or personnel
Pre-qualification should be a step that used only in
procurements where it is deemed to be necessary. An
unnecessary prequalification step may be exactly how a
fraudster excludes otherwise qualified bidders from the
process. Likewise, including unnecessary criteria for
prequalification is another technique that could be used to
limit competition.
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 8
But these risks are no different in an electronic
environment than it is in a paper setting.
In an electronic environment, some techniques that could
be used to restrict competition, and the corresponding
controls for each, include:
Scheme or Technique Control
a. Posting bid
notifications/advertisements
to a difficult-to-access
website
Post all notices on a publicly available website that is easy to
locate
b. Requiring registration to
gain access to tender
notifications
Registration should not be required to simply be able to view
upcoming tenders
c. Charging a fee to enroll in
the bid notification or
registration system
Online enrollment should be free
d. Require multiple
registrations—separate
registrations for each
project
Utilize a single sign-on system whereby use the same system
repeatedly for multiple projects
e. Requiring unnecessary
information simply to
register to receive tender
notifications, such as
information preferred
vendors might have but that
others (such as smaller but
qualified vendors) might
not have
Limit required registration information to only the most
essential
f. Utilizing an overly
complicated system for
registering or submitting
data for prequalification
Provide clear and readily available instructions
Make training available to users
Consider use of multiple languages
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 9
g. Requiring a cumbersome
enrollment process for new
vendors, while grand-
fathering in preferred
vendors upon
implementation of
electronic system
Utilize a consistent enrollment process across all vendors,
including existing vendors
h. Requiring a digital
certificate simply to register
on the system
Do not require a digital certificate for registration
i. Posting notices that require
special software to read or
that have compatibility
issues
All documents should be readable using a range of commonly
used software, such as freely available software that can be
downloaded directly from the site itself (e.g., Adobe PDF
documents)
j. Charging a fee for
prequalification
There should be no charge for a vendor who wishes to submit
to a prequalification process
k. Lack of or unclear
information about how long
the registration or
prequalification process
takes
Provide clear information and consistently meet expectations
(if you say it takes one week for prequalification, get it done in
a week)
l. Frequent changes in
technology utilized by the
prequalification system,
making accessibility by
vendors technologically
challenging
Keep it simple
Provide sufficient advance notice of changes, esp. if user
system requirements are affected
Provide user guides and training
m. Requiring that documents
be uploaded to the system in
formats that require special
software (i.e., in
prequalification)
Any required uploads of documents should be allowable in
formats that are commonly or freely available (e.g., PDF,
common text formats, etc.)
n. Failing to make clear when
certain documents must be
submitted in paper form
Minimize any requirements for submission of paper documents
and, where necessary, provide multiple warnings that paper
documents are required and allow sufficient time for delivery
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 10
o. Rejecting prequalification
applications (esp. after a
deadline has passed) for
reasons that should have
been flagged for users
during completion of online
forms
Provide clear error messages along the way, as users complete
online forms, about missing data, other errors, etc.
Schemes in the Solicitation and Evaluation Phases
The second category of risks in switching from paper to e-
tendering exists once a tender is posted up through the
submission of bids and the evaluation of bids and selection
of the winning bid. Nowhere are the differences in fraud
risks between paper and electronic systems more noticeable
than in this phase. Some of the schemes or techniques used
to direct business towards a preferred vendor in this phase
include:
Scheme Control
a. Requiring a separate
registration for access to
each tender
One registration should make subsequent tenders available to the
vendor
b. Listing upcoming/open
tenders in an
unsearchable manner
(esp. for larger
organizations that may
have hundreds of tenders
posted at any point in
time)
Provide for filtering and searching functionality for all tenders
posted
c. Providing unclear
guidance on due dates of
bids by stating
submission periods in
number of days instead of
providing a final due date
Always provide submission deadlines expressed as a calendar
date (and time, if appropriate)
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 11
d. Posting notices of changes
to call for tenders without
an easy way of identifying
where the changes were
made (usually done in
conjunction with leaking
the change information to
preferred bidders)
Include an index to all changes and clear detailed information
about changes
e. System fails to provide
confirmation of receipt of
bid, only to later be
deemed late or not
received
Bidder should receive immediate notification of whether their
submission was successful, including a date and time stamp;
proof of delivery should be digitally signed by the e-tendering
system
f. System does not allow
resubmissions of bids
even if deadline has not
yet passed
Users should be permitted to correct errors by resubmitting a bid
g. Deleting a bid that has
been submitted, claiming
it never was received
Strong audit trail in the application involved in the receipt of bids
h. Modification of bids by:
Purchasing entity
employees
Competitors and
other third parties
System service
providers
Ensure confidentiality and integrity of information (see
subsequent discussion) through strong access controls
i. Providing special access
to the e-tendering system
for preferred vendor to
allow unauthorized access
to competitor or tender
data
Strong access controls
Data mining associated with system access, to detect unusual
entries
j. Blocking access for
submission of bids during
normal business hours
Implement consistent policy regarding days and times of
access to e-tendering system
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 12
and/or arranging for
limited access for
preferred vendors during
unusual hours
Data mining associated with system access to detect unusual
times or dates of access
k. Fake bids submitted by
shell companies
associated with
competitors or bidders in
collusion
Robust prequalification process
Data mining of submitted bids, looking for red flags of fake
bids
Several of the risks identified in this section and in the
preceding section involve the critical process of
authentication. Authentication is the process that verifies a
user’s identity. This is critical when submitting data in the
prequalification stage, as well as in submitting bids. Two-
factor authentication refers to using two different means for
authentication—for example, something the user has (e.g.,
a card) plus something the user knows (e.g., a PIN).
The European Commission’s e-Tendering Expert Group in
February 2013 published the following recommendations
on authentication for e-tendering in its Recommendations
for Effective Public e-Procurement:
Task to Perform Authentication Requirements
Query opportunity,
download specifications,
submit questions
Vendor opt-in for light registration (or remain anonymous)
Prepare tender Username + password
OR
Two-factor authentication (e.g., password plus SMS-based token) if
imposed by contracting authority
Submit tender Username + password
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 13
OR
Digital signature if imposed by contracting authority
Contract signature Digital signature
Digital signatures are the electronic counterpart to a
handwritten signature and legally acceptable in many
instances. Digital signatures must have certain
characteristics in order to be considered valid:
It must verify the sender.
It must verify the date and time of the signature.
It must authenticate the transaction at the time of the
signature.
It must be verifiable by third parties.
Sound digital signatures rely on sophisticated cryptographic
technology, enabling them to resist electronic forgery.
E-tendering organizations should carefully think through
their authentication processes. In cases in which an
organization relies solely on usernames and passwords,
rather than two-factor authentication or digital signatures,
password recovery features should be strong enough so that
unauthorized users could not easily guess at or perform
limited research in order to be able to break into an
authorized user’s account.
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 14
NOTES Two Recent Cases in e-Tendering Schemes
One 2014 case that illustrates several of the possible
vulnerabilities described in this session involves
Brihanmumbai Municipal Corporation (BMC). More than
20 BMC officials have been investigated in connection
with this e-tendering scam, in which loopholes were
created which enabled preferred vendors to submit bids
while other qualified vendors were unable to submit their
bids.
The primary technique used by the perpetrators appears to
have been to open the system for accepting bids at very
unusual times of the day, usually after midnight, and keep
the system open for only a few hours rather than the seven
days required by BMC policy. When other vendors
attempted to submit bids during normal working hours,
they were unable to do so, likely presuming all vendors
were experiencing the same difficulties in accessing the
system. In one instance, a tender was opened at 3:25 a.m.
and closed at 8:59 a.m. the same day. In another, the tender
was opened at 3:35 a.m. and closed at 9:12 a.m.
In addition, apparently certain BMC engineers leaked
tender information to preferred vendors. These engineers
also accessed BMC systems at odd hours to collect tender
details or provided log-in information to preferred vendors.
According to an investigative report, computer logs of civic
engineers show that at least 20 used their official computers
at odd hours. Officials allege the engineers either used the
computers themselves or gave their passwords and
usernames to contractors, who opened bids and received
the contracts.
During the period of the scam, approximately 50 percent of
BMC purchases were handled using the e-tendering system,
while half used paper. As part of BMC’s remediation
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 15
NOTES efforts, the organization will move to 100 percent e-
tendering, but with several enhancements to its internal
controls, including:
Tenders only to be opened during business hours
Requirement for the use of digital signatures
A second case is not yet resolved, but illustrates the
importance of having controls over the electronic opening
of bids. In 2014, allegations surfaced that the e-tendering
process used by Karnataka Power Corporation (KPC)
involved corruption after a High Court found “serious flaws
and lapses” in the process.
The allegations stem from KPC’s tender for the
transportation of coal from Odisha to the Raichur Thermal
Plant. The tender was handled through KPC’s e-
procurement portal and a total of seven companies
submitted bids. Technical bids were opened on two
different dates in June 2014, but a list of all qualified
tenders was never made. Then, only the financial bid of one
company was opened, and that company was awarded the
contract. As it turns out, the winning company submitted
the highest price for the contract.
This allegation remains unsettled, so no guilt or innocence
can be concluded at this time. However, one obvious flaw
(an oversight at a minimum, and potentially an intentional
act) in the process concerns the manner in which electronic
bids were opened, a point addressed earlier in this paper.
Even if the other six bids were eliminated for legitimate
technical reasons, the multiple dates of opening technical
bids and the lack of a proper list or ranking of qualified
bids on technical merits indicate serious weaknesses in the
process used.
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 16
NOTES IT Security Risks in General
There are numerous fraud risks surrounding the security of
an e-tendering system. Most of these risks are not unique to
any single phase of procurement. A complete explanation
of IT security risks relevant to e-tendering is well beyond
the scope of this session. However, a few key principles
should be considered.
Regardless of which phase of the procurement cycle is
involved, information security becomes a critical priority in
an e-tendering environment. Organizations that implement
e-tendering systems should keep in mind the three basic
principles of information security:
1. Confidentiality
2. Integrity
3. Availability
Confidentiality refers to making information accessible
only to those authorized to use it and preventing
unauthorized disclosure of systems and information.
Vendors submit a lot of sensitive and otherwise
confidential information when they enroll in an e-tendering
system and begin submitting bids. Banking and financial
data of the vendor and personal information about owners
and officers are just a couple of examples of the data that
may be gathered in an e-tendering system. Other vendors or
unknown third parties would certainly like to obtain this
information, and might be able to do so in any of the
following manners:
Directly, through unauthorized access to parts of the
system in which this data is held
Through service providers (vendors that host the e-
tendering site or that otherwise have access to the
system as part of their work for the purchasing entity)
Via purchasing entity personnel (most commonly
procurement or IT personnel)
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 17
NOTES Integrity refers to the safeguarding the accuracy and
completeness of information and processing methods and
preventing unauthorized modification of systems and
information.
Availability refers to ensuring that information is available
when required and preventing disruption of service and
productivity. The BMC case is an excellent example of
how corrupt purchasing employees can rig a system’s
availability to benefit preferred vendors.
Most IT security risks relevant to an e-tendering system
correspond to weaknesses in one or more of the preceding
three areas.
Authentication, discussed earlier, is sometimes listed as a
separate component of IT security, as is non-repudiation.
Non-repudiation refers to a process that ensures that the
parties to a transaction cannot deny their participation in
that transaction. For example, non-repudiation ensures that
a vendor cannot deny having submitted a bid quoting
certain prices and terms, or having submitted certain data
during the prequalification process.
Like authentication, discussed earlier, non-repudiation is
often obtained through the use of digital signatures.
Just as IT security is a topic that extends well beyond the
scope of this paper, so too would be a listing of IT security
risks applicable to an e-tendering system. However,
organizations that have adopted e-tendering have
commonly identified certain risks that should be
considered, such as:
IP spoofing, where a fraudster impersonates a
legitimate user’s IP address to access the e-tendering
system without authentication
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 18
NOTES Unvalidated redirects, in which a Web application
redirects victims (bidders) to phishing or malware sites,
or uses forwards to access unauthorized pages
Insecure cryptographic storage, where sensitive data,
such as authentication credentials, are not protected
with proper encryption or hashing
Injection, in which hostile data sent to the e-tendering
system can potentially trick the system into executing
unintended commands or accessing unauthorized data
Cross-site scripting (XSS), where an attacker executes
scripts in the victim’s browser that can hijack user
sessions or redirect the user to malicious sites
This is, of course, a very partial list of the vast potential for
risks. And none of these risks are unique to e-tendering. E-
commerce and many other types of sites and systems
possess the same risks. But these are very real risks for e-
tendering systems.
Guidance on IT Security
Organizations considering implementing an e-tendering
system, as well as organizations already using one but who
would like to review the IT security features of their
systems, may find the following publications of use:
Recommendations for Effective Public e-Procurement,
Part I: High-Level Report, The e-Tendering Expert
Group (e-TEG) of the European Commission, February
2013
Recommendations for Effective Public e-Procurement,
Part II: Operational Recommendations, The e-
Tendering Expert Group (e-TEG) of the European
Commission, February 2013
e-Procurement Golden Book of Good Practice—Final
Report, 11 March 2013, prepared for Directorate
General Internal Market and Services of the European
Commission
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 19
NOTES Each of these publications focuses exclusively on e-
tendering and provides guidance on numerous IT security
risks that go beyond the scope of this paper.
For broader guidance on IT security (not associated
specifically with e-tendering), two sources are of particular
use:
The ISO27k suite of information security standards
adopted by ISO/IEC (e.g. ISO/IEC 27001, 27002, etc)
Security and Privacy Controls for Federal Information
Systems and Organizations, NIST Special Publication
800-53 (Revision 4), April 2013, National Institute of
Standards and Technology, U.S. Department of
Commerce
The ISO 27k suite is a series of standards published by the
International Organization for Standardization (ISO) and
the International Electroctechnical Commission (IEC). Of
the entire suite of standards, ISO/IEC 27002 is the standard
dealing most directly with information security controls.
The 2013 version of ISO/IEC 27002 addresses 14 different
domains of information security. Within these 14 domains,
35 control objectives are identified associated with
protecting protect the confidentiality, integrity, and
availability of information. These control objectives are
fairly high level in nature, and these objectives are
supported by a total of 114 controls. There are actually
significantly more than 114 controls identified, however, in
the guidance.
Conclusions
Converting from a paper-based system to e-tendering can
have many benefits, as indicated at the beginning of this
paper. One of those benefits is increased transparency. This
is achieved through the great capabilities of e-tendering for
MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT
26th
Annual ACFE Fraud Conference and Exhibition ©2015 20
NOTES maintaining an audit trail. And since this audit trail is
electronic in nature, it creates a very strong potential for the
use of data analytics. Data mining in an e-tendering system
is filled with possibilities.
But, e-tendering should never be viewed as foolproof or as
a complete solution to fraud and corruption risks. Far from
it. It changes the game, closing some opportunities for
fraud, changing others, and even creating some new ones.
Fake bids from shell companies are reportedly even greater
in e-tendering systems than paper systems in some cases
(perhaps a good argument for stronger prequalification
steps).
There are also internal obstacles in making such a
conversion. Organizations should never opt for e-tendering
without first performing a top-to-bottom assessment of
their operations, processes, and capabilities. A poorly
implemented e-tendering system will be worse than a paper
system.
In spite of these obstacles, however, most organizations
that have made the switch from paper to electronic systems
have expressed satisfaction with their decision.
Top Related