Insights on procurement, fraud and spend control.

The anatomy of a ghost order

A ghost order is a purchase order raised for goods or services that are never delivered - or never existed. In the most straightforward cases, a staff member creates a PO for a supplier (often one they have a personal relationship with), the payment goes through, and nothing arrives. In more sophisticated cases, partial deliveries are used to establish legitimacy before the larger fraud begins.

What makes ghost orders so effective in paper-based procurement systems is that there is no automatic reconciliation between what was ordered and what arrived. If the person who raises the PO is also the person who signs off the delivery note - a control failure that is distressingly common in SMEs - the fraud can run for months or years before anyone checks.

Split orders: staying below the threshold

Most businesses have approval thresholds. An order below R5,000 might require only one signatory. Above that, a second approver is required. Above R50,000, a director must sign off. These thresholds exist to protect the business - but they create an obvious vulnerability: split orders.

A supplier invoice for R48,000 is raised instead of R100,000. Two weeks later, a second invoice for R47,500 arrives. Both stay below the threshold that would require escalated review. Both are approved by the same staff member. The business has effectively paid R95,500 for something that should have gone to competitive tender - or may not have been needed at all.

Without a system that cross-references orders to the same supplier over a rolling period, split order fraud is nearly invisible.

The cost is rarely just the fraud itself

The direct financial loss is the obvious damage. But the secondary costs are often larger: management time spent on forensic reconstruction, legal costs if prosecution is pursued, the reputational effect of a SARS audit triggered by a discrepancy, and the operational disruption of replacing a staff member who was - until the fraud was discovered - considered reliable.

The most effective defence is not investigation after the fact. It is a procurement process that makes the fraud difficult to execute in the first place: documented approvals, automatic 3-way matching between PO, delivery and invoice, and pattern detection that flags anomalous behaviour before the damage compounds.

What a controlled process looks like

Every purchase order linked to an approved supplier catalogue. Every approval logged with a user identity, timestamp and reason. Every delivery confirmed against the originating PO - with a photograph, a GPS coordinate and a match score. Every invoice approved only after the 3-way match is complete. And a reporting layer that surfaces the patterns: same staff, same supplier, no competitive quotes, orders just below thresholds.

This is not a complicated system. It is a systematic one - and the difference between a business that discovers fraud after the damage is done and one that prevents it at the point of order.

What the delivery note is supposed to do

In principle, the delivery note is the evidentiary record of exactly what arrived, when, in what condition and who received it. When a dispute arises - a supplier says they delivered 100 units, your stock count shows 80 - the delivery note is the document that resolves the dispute.

In practice, for most South African SMEs, the delivery note is a printed form with handwritten quantities, signed by whoever happened to be near the loading bay, filed in a box somewhere, and retrievable only if someone knows which box and how it's organised.

Three scenarios where paper fails you

Scenario 1 - The disputed quantity. A supplier invoices for 500 litres of product. Your receiving staff signed for 500 litres on the delivery note. But the actual quantity was closer to 420. The form was signed without a careful count, which happens constantly under time pressure. You now owe money for 80 litres you never received, with a signed piece of paper as evidence against you.

Scenario 2 - The damaged goods. A delivery of components arrives with visible damage to a portion of the consignment. The receiving staff note this on the paper form. The delivery note is filed. The supplier invoices for the full amount. Three weeks later, when the finance team is querying the invoice, nobody can find the delivery note. The damage is undocumented. The supplier's invoice stands.

Scenario 3 - The missing delivery. A supplier claims goods were delivered. Your records show no corresponding delivery note. The supplier produces a signed form - a forged or incorrectly attributed signature. Without a digital record, GPS coordinate and timestamp, you cannot prove the delivery did not happen.

What a digital delivery record provides

When receiving staff confirm a delivery on a mobile device, the record includes a photograph of the goods, the quantities entered against each line item, a GPS coordinate for the delivery location, the exact timestamp and the identity of the staff member who confirmed receipt. The system matches these entries against the originating purchase order and flags discrepancies in real time - before the delivery is accepted and before the invoice can be approved.

This is not about technology for technology's sake. It is about ensuring that the moment of delivery - which is the moment your legal and financial liability crystallises - is documented with evidence that is searchable, permanent and defensible.

A paper delivery note in a filing cabinet is not a procurement control. It is a hope that nothing goes wrong. A digital delivery record is the difference between a dispute you can win and one you have already lost.

What personal information procurement systems hold

It is easy to think of POPIA as applying primarily to customer data. But your procurement system holds a significant volume of personal information: supplier contact names and personal email addresses, employee records for staff involved in the approval chain, bank account details for individual contractors, identity numbers for BBBEE verification purposes, and in some cases the personal financial information of sole proprietors and small suppliers who are effectively individuals.

All of this is personal information under POPIA, and its processing - collection, storage, use, sharing and deletion - must comply with the eight conditions for lawful processing set out in the Act.

The eight conditions in procurement terms

Accountability: Your organisation is the responsible party for personal information in your procurement system. You must designate an Information Officer (registered with the Information Regulator) and ensure that your suppliers and staff know who to contact about data protection matters.

Processing limitation: You may only process personal information for the purpose for which it was collected. Supplier contact details collected for procurement purposes may not be used for marketing without separate consent.

Purpose specification: The purpose for which you collect personal information must be specific, explicitly defined and lawful. "We need it for procurement administration" is a legitimate purpose. It must be communicated to the data subject.

Further processing limitation: Once the procurement relationship ends - a supplier is delisted, a staff member leaves - personal information should not continue to be processed beyond what is required for legal and compliance retention obligations.

Information quality: Personal information must be accurate, complete and up to date. Outdated supplier banking details in your system are a POPIA compliance issue as well as a fraud risk.

Openness: Data subjects must be informed that their personal information is being collected and for what purpose. Supplier onboarding processes should include a clear privacy notice.

Security safeguards: Reasonable technical and organisational measures must be taken to protect personal information from loss, damage or unauthorised access. This includes access controls on your procurement system, encryption of sensitive data, and incident response procedures.

Data subject participation: Individuals have the right to access personal information you hold about them, to request correction and in certain circumstances to request deletion. Your procurement system must support these requests.

The single-tenant architecture question

One of the less-discussed POPIA implications for procurement software is the question of where your data lives. Cloud platforms that run a shared database across multiple clients create a risk: your suppliers' personal information is co-mingled with data from other organisations on the same infrastructure. A breach affecting another client's data could potentially affect yours.

A single-tenant deployment - where your instance runs on isolated infrastructure with no shared database - eliminates this risk. It also makes it substantially easier to respond to data subject access requests, data deletion requests and SARS or regulatory audits, because your data is cleanly separated and fully within your control.