Seven red flags procurement teams routinely miss in vendor due diligence.

A vendor empanelment process is a commercial exercise. Its job is to confirm that a counterparty exists, is solvent enough to deliver, and can be transacted with at an acceptable price. Performed properly, it works. The trouble is that vendor fraud, when it occurs, is engineered to satisfy precisely the criteria an empanelment process is designed to test. The shell company will have a PAN, a GSTIN, a working bank account, and a person who answers the phone. The kickback arrangement will sit behind a vendor that, on paper, looks perfectly ordinary.

A forensic eye looks at vendor data differently. It is not looking for evidence that a vendor is real. It is looking for patterns inconsistent with how real vendors actually behave. That distinction — the difference between an empanelment test and a forensic test — is what separates a commercial procurement function from one that can detect fraud before it becomes a board-level matter.

The Association of Certified Fraud Examiners’ Occupational Fraud 2024: Report to the Nations identifies billing schemes — and within them, shell-company schemes — as the single most common form of asset misappropriation in organisations worldwide. Donald Cressey’s Fraud Triangle, refined into the Fraud Diamond by Wolfe and Hermanson, gives the conditions under which they occur: pressure, opportunity, rationalisation, and capability. Albrecht’s Fraud Scale, developed at the Institute of Internal Auditors in 1984, replaces the rationalisation element with personal integrity — on the argument that integrity is observable from a person’s prior conduct in a way that rationalisation is not. That observation is operationally important and we will return to it. The COSO Enterprise Risk Management framework, in its 2017 revision, places fraud risk inside the Performance component — identification, assessment, response, and reporting linked to business objectives — under the oversight of Governance and Culture. Vendor due diligence, properly understood, is therefore not an audit task at all. It is an enterprise risk-management discipline that the board owns.

For listed Indian companies, the governance is statutory. Section 177 of the Companies Act, 2013 places related party transactions under audit-committee oversight. Section 188 prescribes the approval and arm’s-length tests, with disclosure in Form AOC-2 to the Board’s Report under Section 134(3)(h) and maintenance of the Register of Contracts in Form MBP-4. CARO 2020 obliges the statutory auditor to report on related-party compliance under Clause 13, and to report any fraud noticed during audit under Clause 11, with material instances escalated to the Central Government in Form ADT-4. None of these provisions detects fraud. Each, taken together, defines what an audit committee will be expected to have asked.

What follows is the operational layer beneath all of this — the seven patterns I have learnt, across more than two decades of audit and forensic work, that distinguish a fraudulent or compromised vendor from a clean one.

None of these flags, on its own, proves wrongdoing. Each is a pattern worth investigating. Read them as a forensic-trained CXO would — not as accusations, but as places where the next set of questions should be asked.

1 · Address concentration

Multiple “different” vendors registered at the same physical address.

The single most reliable indicator of a shell-company billing scheme in the ACFE Fraud Tree is address concentration in the vendor master. Two or more vendors, with apparently independent names, GSTINs, and bank accounts, sharing the same registered office or the same correspondence address. In a clean vendor base, this should be a vanishing rarity. In a compromised one, it recurs.

The empanelment process does not catch this because it tests each vendor individually. Each passes its own KYC. Only when the vendor master is viewed as a *dataset*, sorted and deduplicated on the address field with proper string-normalisation, does the pattern appear.

The forensic check is straightforward and inexpensive: extract the vendor master, normalise addresses (remove punctuation, expand abbreviations, standardise PIN codes), and group by normalised address. Anything with two or more vendors at the same address goes onto a list for further review. The list is rarely zero, even in well-run organisations. Each entry is a question, not an accusation — legitimate explanations exist (shared business parks, professional services aggregations) — but each must be answered.

2 · Beneficial-ownership and director overlap

Vendors with apparently independent ownership, but shared natural persons in the chain.

A more sophisticated variation of the shell-company pattern uses different addresses but shares directors or beneficial owners across the “independent” vendors. The CIN-level corporate filings in MCA, combined with KYC data on the director and PAN-level data, reveal these links. A routine empanelment process treats each vendor as a separate entity. A forensic review treats the vendor base as a network.

Three patterns recur in this category. First, a single individual appearing as director or significant shareholder in two or more vendors supplying the company. Second, individuals related by surname, address history, or telephone number across vendors. Third, vendors incorporated within a short window of each other — a pattern Cressey’s framework would identify as the *capability* element of the Fraud Diamond — suggesting common origination.

The check requires pulling the MCA filings (DIN-level information for all directors) and cross-referencing across the vendor master. For mid-sized vendor bases this is a one-day exercise. Where related-party links emerge, the next question is whether they fall within the scope of Section 188 of the Companies Act, 2013 — and if so, whether the transaction received the required Board approval, whether it was on an arm’s-length basis under the proviso, whether it was disclosed in Form AOC-2 to the Board’s Report under Section 134(3)(h), and whether it appears in the Register in Form MBP-4. The audit committee’s independent oversight responsibility under Section 177 sits behind all of this. CARO 2020 Clause 13 will, in turn, require the statutory auditor to report on the same compliance — which means the question is going to be asked one way or the other. Better that it is asked internally first.

3 · The invoice-amount distribution does not obey Benford’s Law

A statistical test the procurement function will almost never have run.

In 1938, the physicist Frank Benford observed that in naturally occurring numerical data — populations, river lengths, stock prices, and, as it turns out, genuine business transactions — the leading digit is not uniformly distributed. The digit 1 appears as the leading digit roughly 30 percent of the time, the digit 2 roughly 17 percent, descending logarithmically to the digit 9, which appears only 4.6 percent of the time. Mark Nigrini’s landmark 1999 work in the Journal of Accountancy applied this distribution to fraud detection. It has since become a standard tool in forensic accounting and is taught in the ACFE’s CFE curriculum.

When invoice amounts are manufactured — whether by a shell-company operator inventing values, or by an internal employee structuring invoices below an approval threshold — the resulting digit distribution rarely conforms to Benford’s expectation. Two specific deviations are particularly indicative. First, an over-representation of leading digits 4 and below the approval threshold (a vendor consistently invoicing at, for example, ₹4.9 lakh against an internal ₹5 lakh competitive-quote threshold). Second, an under-representation of round numbers in genuine transactions — what Lehmann’s observation on round-number bias predicts: fraudulent invoices cluster at psychologically “reasonable” values like ₹50,000 or ₹1,00,000 far more often than real invoices do.

The check is statistical and runs on the accounts-payable extract for the period. A simple Benford’s Law conformity test, executed in Excel or a forensic-analytics tool, will identify vendors whose invoice distributions are anomalous at a statistically significant level. Anomaly is not proof. It is a screening filter that points the next layer of investigation at the vendors most likely to repay scrutiny.

4 · Operational impossibility

A vendor invoicing for capability the company cannot physically deliver.

This is the test that most cleanly distinguishes a real vendor from a shell one. A real vendor has a plant or an office, employees on the payroll, equipment on the balance sheet, electricity bills, GST output for end-customers other than your company. A shell vendor has none of these — or has them only on paper.

The empanelment process collects audited financials and may inspect the office. A forensic review reads the financials differently. Does the vendor’s plant-and-machinery on the fixed-asset schedule reasonably support the volume of output being invoiced to the company? Does the wage bill suggest a workforce of the size required to deliver the contracted scope? Is the vendor’s GST output limited almost entirely to the company — that is, does this vendor have any other customer? In one engagement, a sub-contractor billing the client several crore annually for fabrication services was found, on examination of its statutory returns, to have a fixed-asset base of less than ten lakh and no manufacturing electricity load. The work was being procured elsewhere; the “vendor” was a pass-through. The pricing margin between the actual supplier and the pass-through vendor was the fraud.

Pass-through schemes, in the ACFE Fraud Tree, sit within the billing-scheme category and are among the most financially damaging because they tend to run for years before detection. The forensic test is to compare the contracted scope and value to the vendor’s declared statutory footprint. Where the two cannot reconcile, the next step is a site visit conducted by someone trained to look beyond the meeting room.

5 · Bank-account pattern anomalies

Payments routing to accounts not consistent with the vendor’s identity or geography.

The bank account is where the money leaves the system, and it is therefore where forensic attention concentrates. Three specific patterns are worth checking, none of which a routine empanelment will surface.

First, account-name and vendor-name mismatch. The vendor name on the invoice is one entity; the beneficiary name on the bank-account confirmation is another, related but not identical — often a proprietorship or personal account where a private limited company would be expected. Second, account-geography mismatch. A vendor headquartered in one state, supplying from another, with a bank account in a third location entirely — a pattern especially worth interrogating when the third location has no connection to the business. Third, account changes — vendors who request a change in beneficiary account, typically by email, particularly close to a payment cycle. This last is a well-documented vector in Business Email Compromise schemes and warrants verification by an independent channel before any change is processed.

The check is procedural and inexpensive. Bank-account details on the vendor master should be reconciled annually against fresh confirmation from each vendor, and any change in account details must trigger a re-verification protocol — a phone call to a known number, not the number on the email requesting the change. The protocol is not glamorous. It is also not a place where shortcuts pay.

6 · Last-digit analysis and round-number clustering

A second-tier digital test, often more revealing than the first.

Benford’s Law applies to leading digits. Nigrini’s extension of digital analysis covers the last two digits of an amount — which, in genuinely random transaction data, should approximate a uniform distribution across all hundred possible endings. Real business invoices, calculated from real units and real per-unit prices, almost never cluster at psychologically “round” endings (000, 500, 250). Fabricated invoices — and, importantly, the round-number ceiling-bid pattern common in inflated procurement — do.

A last-digit analysis on a year’s payable extract for a particular vendor will, in a normal supplier, produce something close to uniformity. In a vendor whose invoices are negotiated against a budget rather than computed from a unit price — or invented entirely — the pattern departs from uniformity in a way that is statistically detectable. This is one of the more powerful tests in the forensic toolkit because it is genuinely difficult for a fraudster to defeat without significant operational sophistication.

In one investigation, a vendor supplying maintenance services across multiple locations was found to have 47 percent of its invoices ending in “00”, against an expected uniform-distribution rate of 1 percent. The investigation that followed confirmed what the digital pattern had already suggested: the invoices were not being computed from any underlying unit basis. They were being chosen.

7 · The persistent sole-source pattern with a single internal sponsor

Where the Fraud Triangle’s opportunity element typically sits.

Of the seven flags in this framework, this is the one that does not need data analytics to detect. It needs only that someone in the organisation is willing to ask. A vendor who is consistently approved as sole-source for materially-sized work, where the internal sponsor is consistently the same person, and where competitive process is consistently “waived” on grounds of urgency, technical necessity, or relationship history.

The Fraud Triangle, in this category, helps explain why the pattern is so persistent. The sole-source approval removes opportunity controls — the segregation of duties, the competitive benchmarking, the independent challenge — that would otherwise constrain the relationship. Albrecht’s Fraud Scale sharpens this further: where Cressey’s framework treats rationalisation as the third leg, Albrecht substituted personal integrity, on the argument that integrity is observable from a person’s prior conduct in a way that rationalisation is not. In sole-source patterns, this is precisely the question that needs to be asked: what is the prior conduct of the internal sponsor, and what is the integrity record? Where this concentration of authority sits with a single individual over time, the conditions for either a kickback arrangement or a related-party benefit are present. The ACFE’s Fraud Tree classifies the corresponding scheme as corruption — specifically, invoice kickbacks or bid-rigging — and the median financial loss from this category is materially higher than from billing schemes.

The check is a vendor concentration analysis: identify the top fifty vendors by spend, identify how many were appointed through competitive process versus single-source approval, and identify which internal manager sponsored each appointment. Patterns reveal themselves quickly. A single sponsor with disproportionate sole-source authority over a meaningful portion of spend is not, by itself, evidence of wrongdoing. It is, however, an *operational risk position* that no audit committee should be comfortable with, regardless of intent. Remediation is structural: introduce a competitive process, rotate sourcing authority, or formally accept the risk with documented justification.

What to do with this framework.

If a CXO of a large organisation reads through these seven flags and recognises one or two as plausibly present in their vendor base, the natural question is how to act on the suspicion without triggering a disruptive investigation that may turn out to be unwarranted.

The path I would recommend, after many engagements in this territory, is sequential and discreet. Begin with the data-analytic tests — flags one, two, three, and six — because they are silent. They run against the vendor master and accounts-payable extracts without alerting any vendor or any internal sponsor. They produce a short list of vendors that warrant further attention. From that short list, the operational tests — flags four, five, and seven — are applied selectively, again without broader announcement, until either an explanation is found or the case for a formal investigation has been established.

A proper forensic vendor review on a mid-sized listed company — conducted under engagement-letter confidentiality, with audit committee oversight — typically identifies between two and seven vendors warranting further investigation, out of a base of several thousand. Of those, some prove benign on examination. Some require remediation of process. A small number prove to be what they appear: structural integrity failures that have been costing the organisation real money for years and creating real exposure under the Companies Act, the Indian Penal Code, and applicable anti-bribery legislation.

Properly framed under COSO ERM, this work sits in the Performance component, with reporting to the audit committee under Governance and Culture. It is not a one-time clean-up. It is a recurring discipline that the board owns and the partner-led firm supports. Where vendor fraud has occurred and the statutory auditor identifies it under CARO 2020 Clause 11, the matter escalates to the Central Government in Form ADT-4 — an outcome no audit committee chair wishes to discover for the first time in the auditor’s report. Better, in every respect, that the firm has already looked.

The work is uncomfortable. It is also exactly the work that an audit committee chair needs to be confident has been done. The frameworks of Cressey, Albrecht, Nigrini, Wolfe and Hermanson, and the ACFE were developed because the consequences of not doing this work are larger than the cost of doing it. That has not changed.

That, in a sentence, is the work the firm does.