Procurement fraud detection: why 5% of spend is leaking and how data analytics stops it

Procurement fraud is the quietest drain on most enterprise P&Ls. It does not announce itself with a system alert or a whistleblower memo. It accumulates in patterns that look like normal operations: invoices just below the approval threshold, bids that always seem to land with the same three vendors, purchase orders split across multiple entries to avoid review. SAS surveyed more than 2,000 global business leaders across 38 countries and found that businesses lose approximately 5% of total spend per year to procurement fraud, waste, and abuse. The PwC Global Economic Crime Survey 2024 ranks procurement fraud among the top three most disruptive economic crimes globally in the past 24 months — behind only cybercrime and corruption. And yet 20% of companies still do not use data analytics in any way to detect it.

The gap between the scale of the problem and the level of detection investment is not a resource issue. It is a visibility issue. Procurement fraud is not one crime. It is a family of schemes that share one characteristic: they look like legitimate transactions until someone connects the dots across time, suppliers, employees, and categories. The organizations that close the gap are not the ones with the largest fraud investigation teams. They are the ones that deploy four layers of data analytics across their procure-to-pay lifecycle — rules, anomaly detection, predictive models, and network analysis — and run them continuously, not quarterly.

The five schemes that cost you 5%

Procurement fraud breaks down into five scheme categories, each with distinct red flags and detection methods. Invoice fraud is the most common. SAS found that invoicing practices are the most popular target for fraudsters globally. The scheme is simple: suppliers submit duplicate invoices, inflate amounts, or create completely fictitious invoices for services never rendered. When an employee is colluding with the supplier, the invoices are approved without question. The red flags for invoice fraud are mechanical — multiple invoices from the same vendor on the same date, stair-stepped amounts that cluster just below your approval threshold, unexplained credit notes that reverse and re-submit.

Bid rigging is the second most common fraud type globally. Suppliers collude to manipulate the bidding process, deciding in advance who will win the contract and at what price. The red flags here are patterns, not data points. The same small group of suppliers bidding on every tender. Winners rotating across contracts in a predictable sequence. Identical pricing, wording, or formatting errors across supposedly independent bids. A winning bidder subcontracting substantial work to a losing bidder. RSM Australia reports that bid rigging may involve rotating which supplier submits the winning bid, illegally suppressing or withdrawing a bid so another supplier wins, or submitting token bids to influence the price.

Employee-supplier collusion and kickbacks form the third category. The SAS survey found that 24% of organizations report collusion between employees and suppliers. This is the hardest scheme to detect because the transactions appear legitimate. A procurement employee tailors bid specifications so only one supplier can meet them, then approves their above-market pricing. A buyer consistently routes business to a specific vendor without documentation. A manager resists supplier rotation or audit requests. The signals are behavioral as much as transactional.

Unjustified single-source awards — bypassing competitive bidding without proper justification — form the fourth category. Zageno's analysis of R&D procurement fraud found that bypassing the competitive process to select a single supplier is a common scheme, especially in indirect and tail spend categories where oversight is weaker. The fifth is post-award fraud: product substitution, substandard materials, or under-delivery against invoiced quantities. The supplier wins the contract legitimately but then cuts corners on delivery, relying on infrequent inspection to avoid detection.

Four analytics layers that catch what manual reviews miss

Continuous monitoring is not a technology. It is a deployment model — analytics running across every transaction, every day, rather than sampling a subset quarterly. SAS defines continuous monitoring as placing rigorous, ongoing controls throughout the procure-to-pay lifecycle to look for signs of errors, waste, and fraud. The analytics techniques that power it fall into four layers that build on each other.

Layer one is business rules and threshold checks. These are the simplest and fastest: flag any single-bidder tender above a certain value, any invoice cluster within 5% of the approval threshold, any PO-to-invoice ratio above a category benchmark. Rules catch the mechanical schemes — split invoices, duplicate payments, obvious threshold gaming. Their limitation is that they only catch what you already know to look for. Adaptive schemes and collusive arrangements pass through rules because the individual transactions look normal.

Layer two is anomaly detection and pattern analysis. Unsupervised statistical models flag deviations from baseline behavior: an abnormal rise in invoice volume from a supplier, a sudden price increase that deviates from market trends, a buyer whose pattern of single-source awards exceeds their peers by two standard deviations. Anomaly detection catches the schemes that rules miss because it does not look for specific fraud signatures. It looks for things that are statistically unusual and flags them for human review.

Layer three is predictive modeling. Organizations with labeled historical fraud cases can train supervised models that score each transaction for fraud risk. Features include vendor risk scores, historic disputes, tendering patterns, pricing deviations, user behavior logs, and approval path anomalies. The output is a risk score that prioritizes which transactions need review. Predictive models catch patterns that individual anomalies miss because they weigh multiple signals simultaneously.

Layer four is network and link analysis — the most powerful technique for detecting collusion. Graphs are built from relationships between suppliers, employees, intermediaries, and entities. Shared addresses, bank accounts, beneficial owners, phone numbers, email domains, or IP ranges reveal connections that individual transaction data hides. SAS notes that since much procurement fraud involves collusion, associative linking is invaluable. Link analysis can identify clusters of suppliers that only bid against each other, rotating wins across a closed network. It can map an employee who shares a phone number or address with a supplier they approve. The Zageno analysis of life sciences procurement fraud emphasizes network analysis and social graphs as critical for identifying hidden connections, collusive bidding, and kickback schemes.

Indirect spend: the fraud blind spot

Indirect spend is particularly vulnerable. The category includes maintenance, repair, and operations (MRO), professional services, marketing, IT, and lab supplies — fragmented categories with high transaction volume, low unit value, and decentralized purchasing authority. P-cards and local buyers operate outside the strategic sourcing framework. Benchmarking prices is harder than for direct materials. The fraud indicators are the same but harder to spot because the data is more dispersed.

A typical indirect-spend fraud pattern: a local approver in a regional office consistently routes IT consumables purchases to a small local vendor at 15-20% above the global framework agreement price. The individual orders are under $5,000 each — below the threshold that triggers competitive bidding. Over 12 months, the cumulative overpayment reaches $120,000. The scheme is invisible at the transaction level. It only emerges when someone aggregates spend by vendor across cost centers and compares prices against the negotiated rate card. Continuous monitoring platforms that run across all P2P data catch this pattern automatically because the deviation from contracted rates appears as a spend anomaly, even when no single transaction exceeds a threshold.

What this means in practice

Four specific actions for CPOs and finance leaders. First, run a fraud risk assessment before investing in detection tools. PwC's 2024 survey found that 59% of companies completed an enterprise-wide fraud risk assessment in the last 12 months — which means 41% have not. Without understanding where your organization is most exposed (direct sourcing, indirect categories, P-card spend, professional services), any analytics investment is shooting in the dark. Map your fraud risk by category, by supplier type, and by control environment before choosing tools.

Second, implement continuous monitoring starting with your highest-risk category. Do not try to cover everything at once. Pick the category with the highest combination of spend volume and control weakness — typically indirect spend, MRO, or professional services. Deploy business rules first (split invoice detection, threshold monitoring), then layer on anomaly detection within 90 days. Add network analysis when you have six months of baseline data. The sequence matters because each layer builds on the data and confidence from the previous one.

Third, integrate procurement data with compliance and internal audit. Fraud detection in isolation is ineffective. The compliance function needs access to procurement's data analytics dashboards. Internal audit needs to see the same risk scores. PwC's guidance emphasizes breaking down internal silos: compliance must secure buy-in from procurement on a risk-based approach to third parties, and internal audit needs shared access to data analytics. When these three functions operate from the same data, fraud signals that look isolated to procurement become patterns to compliance and audit.

Fourth, address the 50% manual process dependency. SAS found that among organizations that actively monitor procurement, the majority are over-reliant on manual processes (50%). Manual controls introduce human bias and error — or worse, opportunity. Every manual approval step between PO creation and payment is a point where segregation of duties can break down. Audit your approval chain for categories where the same person can create a vendor, approve a PO, and authorize payment. If that exists anywhere in your organization, it is not a control gap. It is an invitation.

In a real case documented by SAS, lack of controls cost a large government institution more than $300 million in procurement fraud over several years. Forensic analysis uncovered employee collusion with a large supplier and multiple split invoicing activities that could have been prevented by continuous monitoring — saving an estimated $16 million. The technology exists. The question is whether procurement leaders will treat fraud detection as a compliance cost or as a P&L recovery lever.