| BLOG — SUPPLY CHAIN SECURITY · PRIVATE EQUITY · 10 min read |
|---|
| Vendor Fraud in the Middle Market: The Schemes PE-Backed Operators Are Absorbing Without Knowing It |
| The four most common vendor fraud patterns in retail and distribution — how they work, what they cost, and what your current controls are missing |
By Mitchell Hamm | Founder & Principal Advisor, Ironside Risk Advisors | Dallas, TX
Vendor fraud is the category of operational loss that generates the most genuine surprise when I raise it with PE operating partners. Not because it is rare. Because it is invisible in a way that internal theft is not.
Internal theft produces an inventory variance. The shrink number goes up. Someone eventually notices. Vendor fraud is different. The most sophisticated vendor fraud schemes are designed to look exactly like normal business activity — a receiving variance that looks like a counting error, a credit memo that looks like a legitimate adjustment, a short-shipment that looks like a transit loss. The losses are real. They appear in the financial statements. They look like cost of goods volatility rather than fraud, and they get investigated with the same rigor as cost of goods volatility — which is to say, almost none.
On a business doing $60 million in cost of goods with 80 active vendor relationships and no vendor fraud controls, the math suggests you are absorbing somewhere between $300,000 and $900,000 per year in vendor-side losses. Some of that is genuine transit damage and counting error. Some of it is not. The absence of controls means you cannot tell the difference.
This post covers the four most common vendor fraud schemes in retail and distribution environments, how each one works mechanically, what it costs, and what control infrastructure is required to detect and prevent it.
Why Vendor Fraud Is Systematically Underreported
Before describing the specific schemes, it is worth understanding why vendor fraud generates such low detection rates in middle market businesses.
The relationship dynamic discourages scrutiny. In most retail and distribution businesses, vendor relationships are managed by the buying or merchandising team — people whose job is to maintain productive vendor partnerships, negotiate favorable terms, and ensure product availability. Questioning a vendor’s invoice accuracy or claiming a receiving discrepancy puts friction in a relationship that the buyer wants to protect. The result is a systematic bias toward accepting vendor claims at face value because disputing them is uncomfortable and creates tension with the commercial team.
The accounting treatment obscures the pattern. Vendor-side losses appear in cost of goods, in receiving write-offs, in vendor claims accounts, or in shrink — depending on how the business handles receiving discrepancies. A vendor fraud scheme that produces $8,000 per month in overpayments spread across a dozen line items and three accounts looks like noise. A systematic review of receiving variances against the vendor’s invoices and the carrier’s delivery documentation would reveal the pattern, but that review does not happen without a control designed to produce it.
LP programs are focused internally. Most Loss Prevention programs are designed to address internal theft — employee-facing controls, POS exception reporting, inventory management. Vendor fraud requires a different control orientation: outbound vendor invoice verification, inbound receiving accuracy validation, and systematic review of vendor credit memos. Many LP programs do not own this space, and the finance or accounting function is not staffed to investigate it.
The Four Schemes
1. Short-Shipment with Manifest Acceptance
This is the most common and highest-volume vendor fraud scheme in retail and distribution. The mechanics are straightforward: the vendor ships fewer units than are documented on the purchase order and the bill of lading. The receiver, who has access to the PO quantity before counting, accepts the delivery at the manifest count — either because they are complicit, because they are under time pressure and did not count carefully, or because blind receiving is not practiced and they simply trusted the documentation.
The vendor is paid for the quantity on the manifest. The business receives fewer units. The discrepancy surfaces as a receiving variance, which is written off as a counting error or posted to the vendor claims account, where it may sit unresolved for months.
The cost of this scheme at scale is significant. A vendor shipping 100 units but delivering 94 on each of 200 purchase orders per year generates a $X loss that depends on unit value — but on a $500 average unit value, that is $60,000 per year from a single vendor. A portfolio company with 80 active vendors and no systematic receiving variance tracking is likely absorbing versions of this scheme across multiple vendor relationships simultaneously.
The control is blind receiving — receiving staff must not have access to PO quantities before the physical count — combined with systematic discrepancy reporting that routes vendor shortages to a review process rather than to automatic write-off.
2. Credit Memo Manipulation
Credit memos are a legitimate vendor tool: a vendor issues a credit to adjust for returned merchandise, defective goods, promotional allowances, or pricing corrections. The fraud version involves a vendor (sometimes in coordination with an internal employee who has accounts payable access) issuing credit memos that do not correspond to a legitimate credit event, or issuing credit memos for an amount that exceeds the actual credit to which the vendor is entitled.
In a business without systematic credit memo verification, the memo is received, matched against an open AP balance, and applied — because the process is designed to process credits efficiently, not to audit them. A vendor with a cooperative internal contact in accounts payable can run this scheme for years without a control designed to detect it.
The detection control is a periodic credit memo audit: pull all vendor credit memos for a trailing 12-month period, match each memo against the underlying credit event (the return authorization, the defective merchandise documentation, the promotional agreement), and flag any memo without a corresponding supporting document. The first time a business runs this audit after years without one, it almost always finds something.
3. Fictitious Vendor and AP Fraud
This scheme involves the creation of a fictitious vendor in the accounts payable system — an entity that does not exist, or that exists but provides no actual goods or services — and the issuance of payments to that vendor by an internal employee with the system access and approval authority to create the scheme.
The fictitious vendor scheme is less a vendor fraud than a vendor-enabled internal fraud — the “vendor” is a vehicle created by an insider. In retail and distribution businesses, the employees most likely to run this scheme are those with dual access to vendor master file management and payment processing: AP clerks, AP managers, controllers, and occasionally IT staff with system administration rights.
The control failures that enable fictitious vendor fraud are specific: no separation of duties between vendor master management and payment approval, no vendor onboarding verification process (tax ID validation, physical address confirmation, bank account verification), and no periodic review of the vendor master file to identify dormant or anomalous vendors.
A vendor master audit — a systematic review of the active vendor list against documented onboarding records, payment history, and current business relationships — will identify fictitious or dormant vendors with unusual payment activity. In a business that has never conducted this audit, the first one is often educational.
4. Diversion and Gray Market Schemes
This scheme is common in businesses with high-value, easily resalable product — electronics, beauty, consumer goods, branded apparel. A vendor (sometimes with an internal accomplice) diverts product intended for delivery to the legitimate buyer and sells it instead to a gray market buyer — a liquidator, an unauthorized reseller, or an overseas buyer. The purchase order is processed, the invoice is paid, and the product never arrives.
The variant involving an internal accomplice works slightly differently: the product is received at the facility and then diverted outbound — either through a receiving irregularity that does not record the units, a return authorization that sends product back to the vendor but does not credit the buyer, or a warehouse transfer that moves product to a location where it can be removed without detection.
In either case, the loss appears in the financial statements as a receiving variance or an unresolved vendor claim. The pattern — a specific vendor, a specific product category, a specific receiving dock, recurring variances of similar size — is detectable with systematic review. Without the review, it looks like routine cost of goods noise.
What the Control Stack Actually Looks Like
A vendor fraud control program does not require a large internal team. It requires four things that most middle market businesses do not have in place at acquisition:
Blind receiving at all receiving locations. This is the foundational control. Without it, the short-shipment scheme runs with minimal friction. With it, the receiving count becomes an independent verification rather than a confirmation of the vendor’s manifest.
Systematic discrepancy reporting and resolution. Every receiving discrepancy above a threshold — $100, $500, whatever the business determines is material — should generate a formal discrepancy report that is reviewed by someone outside of the receiving function, tracked to resolution (either a vendor credit or a documented explanation), and closed within a defined timeframe. An AP subledger with hundreds of open, unresolved vendor claims is not a normal state of affairs — it is a signal.
Vendor master audit, annually. Review the active vendor list. Verify tax IDs. Confirm bank account legitimacy. Flag vendors with payment activity and no documented service history. Flag vendors whose mailing address matches an employee address. This audit takes one week with one person who knows what to look for. The findings in a business that has never conducted one are almost always material.
Credit memo verification. Every credit memo above a threshold should be matched against a supporting document before it is applied. This is a process control in AP, not a Loss Prevention function, but LP should be auditing the process periodically to confirm it is working.
The PE-Specific Context
For a PE-backed business in the lower middle market, vendor fraud control is almost never a Day 1 investment priority. There are systems to integrate, management teams to assess, revenue growth to pursue. The operational loss occurring quietly in the receiving dock and the AP system is not visible in any of the reporting that lands on the board deck.
It becomes visible 18 months in, when a systematic receiving discrepancy review surfaces a vendor relationship that has been generating consistent short-shipments for three years — or when an AP audit identifies a vendor created by a former employee that has been receiving payments since before the acquisition.
At that point, the loss has already occurred. The question is whether the control environment that allowed it is still in place, creating ongoing exposure, and whether the investigation that follows will be conducted in a way that produces a recoverable outcome or simply confirms the loss and closes the file.
Building the vendor fraud control stack in the first 90 days post-close — as part of the LP buildout, not as a separate initiative — is the correct sequence. It costs less, it catches more, and it demonstrates to the vendor community that the new ownership structure has controls that the previous one did not. That demonstration, by itself, changes vendor behavior.
| BOTTOM LINE | Vendor fraud in retail and distribution is not rare. It is systematically undetected because the controls that would surface it — blind receiving, discrepancy tracking, vendor master audits, credit memo verification — are absent in most lower middle market businesses at acquisition. The losses are in the financial statements. They just look like cost of goods volatility. A 90-day post-close LP buildout should include vendor fraud controls as a standard component, not an optional add-on. |
|---|
About Ironside Risk Advisors
Ironside Risk Advisors provides fractional loss prevention and cargo security advisory to private equity firms with retail and supply chain portfolio companies. Founded by Mitchell Hamm — 10+ years across a PE-backed multi-site retail operator and corporate security — the firm specializes in pre-acquisition risk assessment, post-close LP buildout, fractional LP director engagements, and supply chain cargo security audits. mitch@ironsideriskadvisors.com · (502) 608-7389 · ironsideriskadvisors.com · Dallas, TX