managing new fraud risks in an electronic procurement/tendering environment · 2015-06-02 ·...

©2015

MANAGING NEW FRAUD RISKS IN AN

ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT

Procurement is the function most commonly targeted by fraudsters. Many organizations have

already transitioned to, or are considering moving to, an e-procurement (e-tendering) system in

the hopes of reducing fraud risks. However, while certain risks are reduced in an electronic

environment, others simply change and new ones emerge. This session will use real-life cases to

explain how contract and procurement fraud risks change when an organization moves from a

paper-based system to an electronic one.

You will learn how to:

Describe the ways an electronic environment can be used to replace a paper-based system.

Recognize how fraud risks change and which new fraud risks emerge when converting from

to an e-procurement (e-tendering) system.

Identify the key preventive and detective controls that are necessary in an electronic

purchasing environment.

GERARD M. ZACK, CFE, CPA, CIA, CCEP

Managing Director

BDO Consulting

Bethesda, Maryland

Gerard Zack is a managing director in the global forensics practice of BDO Consulting and is

based in the Washington, DC, area office. He has more than 30 years of experience providing

fraud prevention, detection, and investigation services, as well as forensic accounting, fraud risk

assessment, and risk management. He also designs fraud awareness training programs for

organizations and evaluates corporate anti-fraud programs. His experience also includes

numerous financial statement, compliance, internal, and vendor audits.

He has worked with businesses in many industries, nonprofit organizations, and government

agencies throughout North America and Europe. Prior to joining international firm BDO, he ran

his own anti-fraud services firm, Zack P.C., since founding the practice in 1990. Before 1990, he

served as an audit manager with an international public accounting firm. Along the way, he took

a two-year hiatus from his practice to serve as chief operating and compliance officer for an

international scientific organization headquartered in Washington, DC.

Mr. Zack is a Certified Fraud Examiner (CFE), Certified Public Accountant (CPA),

Certified Internal Auditor (CIA), and Certified Compliance and Ethics Professional

(CCEP), and he holds a Certificate in Risk Management Assurance (CRMA). In addition to

serving clients, he has served on the faculty of the ACFE since 2006, providing anti-fraud

training in North America, Europe, Africa, Asia, and Australia. He is the 2009 recipient of

the ACFE’s James Baker Speaker of the Year Award. In 2013, he was elected to serve a

two-year term on the ACFE’s Board of Regents for 2014–2015.

©2015

Mr. Zack is the author of three books published by John Wiley & Sons: Financial Statement

Fraud: Strategies for Detection and Investigation (2013), Fair Value Accounting Fraud:

New Global Risks and Detection Techniques (2009), and Fraud and Abuse in Nonprofit

Organizations: A Guide to Prevention and Detection (2003). He is also the principal author

of the ACFE course “Uncovering Fraud with Financial and Ratio Analysis,” and he has

contributed to several other course manuals. He is the author of numerous articles on fraud-

related topics and is a highly sought speaker at international and national conferences,

including the Annual ACFE Global Fraud Conference and those sponsored by the AICPA

and many other groups.

Mr. Zack earned his M.B.A. in finance at Loyola University in Maryland and his B.S.B.A. in

accounting from Shippensburg University of Pennsylvania. He can be contacted by telephone at

+1 301.634.0279 or by email at [email protected].

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the

ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of

this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without

the prior consent of the author.

mailto:[email protected]

MANAGING NEW FRAUD RISKS IN AN ELECTRONIC PROCUREMENT/TENDERING ENVIRONMENT

26th

Annual ACFE Fraud Conference and Exhibition ©2015 1

NOTES If there is one word that can consistently be used to

describe fraud risk management, it is change. Fraud risks

are in a perpetual state of change, and our fraud risk

assessments and risk mitigation strategies have to keep

pace. Organizations that fail to do so inevitably suffer the

consequences in the form of fraud, corruption, and

compliance breaches. Some of the key drivers of change

that impact fraud risks are:

People

Strategy

Competition

Economic conditions

Regulatory environment

As each of these drivers change, the fraud (and other) risks

our organizations face also change, sometimes drastically.

Another driver of fraud risk, and a significant one, is

technology. And technology is the category in which this

session’s fraud risks exist.

Developments in technology represent both assets and risks

to most organizations. Many developments enable

organizations to work more efficiently, and some improve

security. Improvements in data analytics have significantly

enhanced our ability to monitor activities and detect fraud

and noncompliance in a timely manner in recent years.

However, fraudsters also capitalize on technology. As

technology has changed, so too have fraud schemes. The

chart below depicts a simple progression of frauds as the

tools used to perpetrate them have evolved:


26th


NOTES Type of Fraud Example

Simple fraud using

simple tools

Subject uses a hammer to break into

a warehouse to steal inventory

Complex fraud

using simple tools

Kickback scheme in which a

procurement employee secretly

opens offers that have been received

and leaks information from those

offers to the preferred vendor

Simple fraud using

complex tools

Employee inflates an expense

reimbursement claim by scanning

original supporting documents, using

photo editing software alters

amounts, and submitting the inflated

claim

Complex fraud

using complex

tools

Undisclosed conflict of interest

scheme in which a purchasing

employee establishes an online shell

company, circumvents e-tendering

by inserting e-bid directly into the

system, then submits fraudulent

invoices electronically

Fraudsters generally utilize developments in technology to

perpetrate frauds in one of two manners:

1. By developing tools of their own to perpetrate crimes

using the latest technology

2. By exploiting overlooked weaknesses in our systems as

we deploy new technology

The second manner is the one that provides the greatest

surprise to organizations, when they realize that they really

did not fully assess all the risks when a new technology

was implemented.


26th


NOTES In particular, this session will focus on the increasing trend

toward electronic tendering/procurement.

Why e-Tendering?

Globally, many government agencies and large

corporations have converted from an entirely paper-based

procurement/tendering process to one that is wholly or

partly electronic. Some of the most commonly identified

potential benefits of e-tendering include:

Increased visibility of procurement opportunities, which

opens up the tender to a broader range of vendors and

leads to an increased number of offers

Reduction in the time and effort involved by the

purchaser in preparing, publishing, and processing

tenders, as well in receiving offers

Reduction in procedural mistakes caused by human

error during the procurement process

Increased degree to which automation can be used in

the evaluation of offers

Improved transparency and reduce the risk of

corruption and fraud

I’ll come back to the final potential benefit later, the

potential for reducing the risk of fraud and corruption. But,

first, a few additional basics about e-tendering.

Generally, there are three levels of e-tendering that can be

utilized:

1. One-way communication: Vendors register online and

download RFPs and so on, and receive other

communications from purchaser via site, but submit

paper proposals.

2. Two-way communication through selection: In

addition to the preceding, vendors submit questions to

purchaser, receive responses to questions, submit


26th


NOTES proposals, and are notified of selection by purchaser, at

which point e-system is no longer used.

3. Complete two–way communication: In addition to the

preceding, the contract with the winning bidder is

executed electronically, as are all subsequent

modifications and communications.

Each of these three levels may be implemented using one

of the following models:

1. Dedicated e-Tendering System: The procuring

organization owns and controls the entire system

infrastructure that is used throughout the process.

2. Partial Outsourcing Model 1: The procuring

organization purchases and owns the e-tendering

system, which is managed by a service provider.

3. Partial Outsourcing Model 2: The procuring

organization uses the e-tendering system of a service

provider, who owns and controls the infrastructure.

4. Full Outsourcing Model: The procuring organization

registers and uses the service provider’s portal for e-

tendering, without any direct intervention from the

service provider. The service provider is basically a

platform provider, while the management of the process

(i.e., the actual tendering activities) remains in the

hands of the procuring organization.

Which approach an organization takes in implementing an

e-tendering system depends on many factors, including its

needs, its internal capabilities to operate and maintain a

system, and others. Likewise, the degree to which an

organization is vulnerable to some of the fraud risks that

will be explained in this paper is also dependent in part on

which level and model is utilized.


26th


NOTES The Tendering Process

Converting from paper to electronic systems affects some,

but not all, phases in the procurement cycle. So, our

starting point is to understand what the procurement cycle

entails.

The four phases in the procurement/tendering process, and

the fraud and corruption schemes most commonly

associated with each, are as follows:

Presolicitation Phase

Need recognition schemes

Bid specification schemes (e.g., bid tailoring)

Unjustified sole sourcing

Bid splitting

Bidder prequalification schemes

Solicitation Phase

Leaking of information

Inappropriate Q&A communications

Manipulation of bid receipt

Back-dating receipt of bids

Collusion among bidders

Evaluation and Award Phase

Bid manipulation

Improper disqualification

Unjustified changes in bid specifications or award

criteria

Post-Award and Performance Phase

Change order abuse

False billings

Product substitution

Non-conforming goods or services

Cost mischarging

Whether an organization uses a paper or electronic system

does not impact the risks of each of these schemes equally.

Some risks would be unaffected by a switch from paper to


26th


NOTES electronic system. For example, a need recognition scheme,

in which a perpetrator simply creates a phony need and

then makes a purchase, would not be significantly impacted

one way or the other (increasing or decreasing the risk) by

moving from paper to electronic. Likewise, bid splitting to

circumvent a monetary threshold is likely to be equally

effective in circumventing an electronic system as it is a

paper system.

Another way of looking at the deployment of new

technology is to consider whether the utilization of a new

technology would:

Eliminate a particular fraud risk

Reduce the likelihood of a fraud risk

Alter the characteristics of an existing fraud risk

Increase the likelihood of an existing fraud risk

Create a new fraud risk

Most of the attention devoted to e-tendering has dealt with

its potential for reducing or eliminating certain risks. But,

what about the third through fifth categories above? The

remainder of this paper will explore risks that could be

overlooked when implementing an e-tendering system. For

purposes of this session, fraud risks will be classified into

two categories:

1. The latter stages of the presolicitation phase (involving

vendor awareness of tenders, vendor registration, and

prequalification) and early solicitation phase (up

through the posting of bidding documents and

subsequent Q&A)

2. The latter half of the solicitation phase (beginning with

the submission of bids by vendors) through the

evaluation phase

It is in these two areas, overlapping three of the four

procurement phases outlined above, where e-tendering


26th


NOTES fraud risks can be differentiated from their counterparts in a

paper environment.

Schemes in the Presolicitation Phase up Through

Posting of Bidding Documents

The primary risks in the presolicitation phase that may

differ in an electronic environment from a paper involve

the following steps that may occur prior to any tenders

being posted by the purchasing organization:

System access by potential bidders

Registration by potential bidders

Prequalification of vendors

Most schemes in the presolicitation phase are designed to

limit access to preferred bidders, at the exclusion of other

qualified bidders.

Pre-qualification is a step in the procurement process in

which bidders are subject to preliminary screening, limiting

the pool of bidders whose bids will be accepted and

considered. Common prequalification criteria include:

Number of years in business

Annual turnover

Level of insurance coverage

Regulatory certifications and/or licenses

Direct v. indirect provider of materials or personnel

Pre-qualification should be a step that used only in

procurements where it is deemed to be necessary. An

unnecessary prequalification step may be exactly how a

fraudster excludes otherwise qualified bidders from the

process. Likewise, including unnecessary criteria for

prequalification is another technique that could be used to

limit competition.


26th


But these risks are no different in an electronic

environment than it is in a paper setting.

In an electronic environment, some techniques that could

be used to restrict competition, and the corresponding

controls for each, include:

Scheme or Technique Control

a. Posting bid

notifications/advertisements

to a difficult-to-access

website

Post all notices on a publicly available website that is easy to

locate

b. Requiring registration to

gain access to tender

notifications

Registration should not be required to simply be able to view

upcoming tenders

c. Charging a fee to enroll in

the bid notification or

registration system

Online enrollment should be free

d. Require multiple

registrations—separate

registrations for each

project

Utilize a single sign-on system whereby use the same system

repeatedly for multiple projects

e. Requiring unnecessary

information simply to

register to receive tender

notifications, such as

information preferred

vendors might have but that

others (such as smaller but

qualified vendors) might

not have

Limit required registration information to only the most

essential

f. Utilizing an overly

complicated system for

registering or submitting

data for prequalification

Provide clear and readily available instructions

Make training available to users

Consider use of multiple languages


26th


g. Requiring a cumbersome

enrollment process for new

vendors, while grand-

fathering in preferred

vendors upon

implementation of

electronic system

Utilize a consistent enrollment process across all vendors,

including existing vendors

h. Requiring a digital

certificate simply to register

on the system

Do not require a digital certificate for registration

i. Posting notices that require

special software to read or

that have compatibility

issues

All documents should be readable using a range of commonly

used software, such as freely available software that can be

downloaded directly from the site itself (e.g., Adobe PDF

documents)

j. Charging a fee for

prequalification

There should be no charge for a vendor who wishes to submit

to a prequalification process

k. Lack of or unclear

information about how long

the registration or

prequalification process

takes

Provide clear information and consistently meet expectations

(if you say it takes one week for prequalification, get it done in

a week)

l. Frequent changes in

technology utilized by the

prequalification system,

making accessibility by

vendors technologically

challenging

Keep it simple

Provide sufficient advance notice of changes, esp. if user

system requirements are affected

Provide user guides and training

m. Requiring that documents

be uploaded to the system in

formats that require special

software (i.e., in

prequalification)

Any required uploads of documents should be allowable in

formats that are commonly or freely available (e.g., PDF,

common text formats, etc.)

n. Failing to make clear when

certain documents must be

submitted in paper form

Minimize any requirements for submission of paper documents

and, where necessary, provide multiple warnings that paper

documents are required and allow sufficient time for delivery


26th


o. Rejecting prequalification

applications (esp. after a

deadline has passed) for

reasons that should have

been flagged for users

during completion of online

forms

Provide clear error messages along the way, as users complete

online forms, about missing data, other errors, etc.

Schemes in the Solicitation and Evaluation Phases

The second category of risks in switching from paper to e-

tendering exists once a tender is posted up through the

submission of bids and the evaluation of bids and selection

of the winning bid. Nowhere are the differences in fraud

risks between paper and electronic systems more noticeable

than in this phase. Some of the schemes or techniques used

to direct business towards a preferred vendor in this phase

include:

Scheme Control

a. Requiring a separate

registration for access to

each tender

One registration should make subsequent tenders available to the

vendor

b. Listing upcoming/open

tenders in an

unsearchable manner

(esp. for larger

organizations that may

have hundreds of tenders

posted at any point in

time)

Provide for filtering and searching functionality for all tenders

posted

c. Providing unclear

guidance on due dates of

bids by stating

submission periods in

number of days instead of

providing a final due date

Always provide submission deadlines expressed as a calendar

date (and time, if appropriate)


26th


d. Posting notices of changes

to call for tenders without

an easy way of identifying

where the changes were

made (usually done in

conjunction with leaking

the change information to

preferred bidders)

Include an index to all changes and clear detailed information

about changes

e. System fails to provide

confirmation of receipt of

bid, only to later be

deemed late or not

received

Bidder should receive immediate notification of whether their

submission was successful, including a date and time stamp;

proof of delivery should be digitally signed by the e-tendering

system

f. System does not allow

resubmissions of bids

even if deadline has not

yet passed

Users should be permitted to correct errors by resubmitting a bid

g. Deleting a bid that has

been submitted, claiming

it never was received

Strong audit trail in the application involved in the receipt of bids

h. Modification of bids by:

Purchasing entity

employees

Competitors and

other third parties

System service

providers

Ensure confidentiality and integrity of information (see

subsequent discussion) through strong access controls

i. Providing special access

to the e-tendering system

for preferred vendor to

allow unauthorized access

to competitor or tender

data

Strong access controls

Data mining associated with system access, to detect unusual

entries

j. Blocking access for

submission of bids during

normal business hours

Implement consistent policy regarding days and times of

access to e-tendering system


26th


and/or arranging for

limited access for

preferred vendors during

unusual hours

Data mining associated with system access to detect unusual

times or dates of access

k. Fake bids submitted by

shell companies

associated with

competitors or bidders in

collusion

Robust prequalification process

Data mining of submitted bids, looking for red flags of fake

bids

Several of the risks identified in this section and in the

preceding section involve the critical process of

authentication. Authentication is the process that verifies a

user’s identity. This is critical when submitting data in the

prequalification stage, as well as in submitting bids. Two-

factor authentication refers to using two different means for

authentication—for example, something the user has (e.g.,

a card) plus something the user knows (e.g., a PIN).

The European Commission’s e-Tendering Expert Group in

February 2013 published the following recommendations

on authentication for e-tendering in its Recommendations

for Effective Public e-Procurement:

Task to Perform Authentication Requirements

Query opportunity,

download specifications,

submit questions

Vendor opt-in for light registration (or remain anonymous)

Prepare tender Username + password

OR

Two-factor authentication (e.g., password plus SMS-based token) if

imposed by contracting authority

Submit tender Username + password


26th


OR

Digital signature if imposed by contracting authority

Contract signature Digital signature

Digital signatures are the electronic counterpart to a

handwritten signature and legally acceptable in many

instances. Digital signatures must have certain

characteristics in order to be considered valid:

It must verify the sender.

It must verify the date and time of the signature.

It must authenticate the transaction at the time of the

signature.

It must be verifiable by third parties.

Sound digital signatures rely on sophisticated cryptographic

technology, enabling them to resist electronic forgery.

E-tendering organizations should carefully think through

their authentication processes. In cases in which an

organization relies solely on usernames and passwords,

rather than two-factor authentication or digital signatures,

password recovery features should be strong enough so that

unauthorized users could not easily guess at or perform

limited research in order to be able to break into an

authorized user’s account.


26th


NOTES Two Recent Cases in e-Tendering Schemes

One 2014 case that illustrates several of the possible

vulnerabilities described in this session involves

Brihanmumbai Municipal Corporation (BMC). More than

20 BMC officials have been investigated in connection

with this e-tendering scam, in which loopholes were

created which enabled preferred vendors to submit bids

while other qualified vendors were unable to submit their

bids.

The primary technique used by the perpetrators appears to

have been to open the system for accepting bids at very

unusual times of the day, usually after midnight, and keep

the system open for only a few hours rather than the seven

days required by BMC policy. When other vendors

attempted to submit bids during normal working hours,

they were unable to do so, likely presuming all vendors

were experiencing the same difficulties in accessing the

system. In one instance, a tender was opened at 3:25 a.m.

and closed at 8:59 a.m. the same day. In another, the tender

was opened at 3:35 a.m. and closed at 9:12 a.m.

In addition, apparently certain BMC engineers leaked

tender information to preferred vendors. These engineers

also accessed BMC systems at odd hours to collect tender

details or provided log-in information to preferred vendors.

According to an investigative report, computer logs of civic

engineers show that at least 20 used their official computers

at odd hours. Officials allege the engineers either used the

computers themselves or gave their passwords and

usernames to contractors, who opened bids and received

the contracts.

During the period of the scam, approximately 50 percent of

BMC purchases were handled using the e-tendering system,

while half used paper. As part of BMC’s remediation


26th


NOTES efforts, the organization will move to 100 percent e-

tendering, but with several enhancements to its internal

controls, including:

Tenders only to be opened during business hours

Requirement for the use of digital signatures

A second case is not yet resolved, but illustrates the

importance of having controls over the electronic opening

of bids. In 2014, allegations surfaced that the e-tendering

process used by Karnataka Power Corporation (KPC)

involved corruption after a High Court found “serious flaws

and lapses” in the process.

The allegations stem from KPC’s tender for the

transportation of coal from Odisha to the Raichur Thermal

Plant. The tender was handled through KPC’s e-

procurement portal and a total of seven companies

submitted bids. Technical bids were opened on two

different dates in June 2014, but a list of all qualified

tenders was never made. Then, only the financial bid of one

company was opened, and that company was awarded the

contract. As it turns out, the winning company submitted

the highest price for the contract.

This allegation remains unsettled, so no guilt or innocence

can be concluded at this time. However, one obvious flaw

(an oversight at a minimum, and potentially an intentional

act) in the process concerns the manner in which electronic

bids were opened, a point addressed earlier in this paper.

Even if the other six bids were eliminated for legitimate

technical reasons, the multiple dates of opening technical

bids and the lack of a proper list or ranking of qualified

bids on technical merits indicate serious weaknesses in the

process used.


26th


NOTES IT Security Risks in General

There are numerous fraud risks surrounding the security of

an e-tendering system. Most of these risks are not unique to

any single phase of procurement. A complete explanation

of IT security risks relevant to e-tendering is well beyond

the scope of this session. However, a few key principles

should be considered.

Regardless of which phase of the procurement cycle is

involved, information security becomes a critical priority in

an e-tendering environment. Organizations that implement

e-tendering systems should keep in mind the three basic

principles of information security:

1. Confidentiality

2. Integrity

3. Availability

Confidentiality refers to making information accessible

only to those authorized to use it and preventing

unauthorized disclosure of systems and information.

Vendors submit a lot of sensitive and otherwise

confidential information when they enroll in an e-tendering

system and begin submitting bids. Banking and financial

data of the vendor and personal information about owners

and officers are just a couple of examples of the data that

may be gathered in an e-tendering system. Other vendors or

unknown third parties would certainly like to obtain this

information, and might be able to do so in any of the

following manners:

Directly, through unauthorized access to parts of the

system in which this data is held

Through service providers (vendors that host the e-

tendering site or that otherwise have access to the

system as part of their work for the purchasing entity)

Via purchasing entity personnel (most commonly

procurement or IT personnel)


26th


NOTES Integrity refers to the safeguarding the accuracy and

completeness of information and processing methods and

preventing unauthorized modification of systems and

information.

Availability refers to ensuring that information is available

when required and preventing disruption of service and

productivity. The BMC case is an excellent example of

how corrupt purchasing employees can rig a system’s

availability to benefit preferred vendors.

Most IT security risks relevant to an e-tendering system

correspond to weaknesses in one or more of the preceding

three areas.

Authentication, discussed earlier, is sometimes listed as a

separate component of IT security, as is non-repudiation.

Non-repudiation refers to a process that ensures that the

parties to a transaction cannot deny their participation in

that transaction. For example, non-repudiation ensures that

a vendor cannot deny having submitted a bid quoting

certain prices and terms, or having submitted certain data

during the prequalification process.

Like authentication, discussed earlier, non-repudiation is

often obtained through the use of digital signatures.

Just as IT security is a topic that extends well beyond the

scope of this paper, so too would be a listing of IT security

risks applicable to an e-tendering system. However,

organizations that have adopted e-tendering have

commonly identified certain risks that should be

considered, such as:

IP spoofing, where a fraudster impersonates a

legitimate user’s IP address to access the e-tendering

system without authentication


26th


NOTES Unvalidated redirects, in which a Web application

redirects victims (bidders) to phishing or malware sites,

or uses forwards to access unauthorized pages

Insecure cryptographic storage, where sensitive data,

such as authentication credentials, are not protected

with proper encryption or hashing

Injection, in which hostile data sent to the e-tendering

system can potentially trick the system into executing

unintended commands or accessing unauthorized data

Cross-site scripting (XSS), where an attacker executes

scripts in the victim’s browser that can hijack user

sessions or redirect the user to malicious sites

This is, of course, a very partial list of the vast potential for

risks. And none of these risks are unique to e-tendering. E-

commerce and many other types of sites and systems

possess the same risks. But these are very real risks for e-

tendering systems.

Guidance on IT Security

Organizations considering implementing an e-tendering

system, as well as organizations already using one but who

would like to review the IT security features of their

systems, may find the following publications of use:

Recommendations for Effective Public e-Procurement,

Part I: High-Level Report, The e-Tendering Expert

Group (e-TEG) of the European Commission, February

2013

Recommendations for Effective Public e-Procurement,

Part II: Operational Recommendations, The e-

Tendering Expert Group (e-TEG) of the European

Commission, February 2013

e-Procurement Golden Book of Good Practice—Final

Report, 11 March 2013, prepared for Directorate

General Internal Market and Services of the European

Commission


26th


NOTES Each of these publications focuses exclusively on e-

tendering and provides guidance on numerous IT security

risks that go beyond the scope of this paper.

For broader guidance on IT security (not associated

specifically with e-tendering), two sources are of particular

use:

The ISO27k suite of information security standards

adopted by ISO/IEC (e.g. ISO/IEC 27001, 27002, etc)

Security and Privacy Controls for Federal Information

Systems and Organizations, NIST Special Publication

800-53 (Revision 4), April 2013, National Institute of

Standards and Technology, U.S. Department of

Commerce

The ISO 27k suite is a series of standards published by the

International Organization for Standardization (ISO) and

the International Electroctechnical Commission (IEC). Of

the entire suite of standards, ISO/IEC 27002 is the standard

dealing most directly with information security controls.

The 2013 version of ISO/IEC 27002 addresses 14 different

domains of information security. Within these 14 domains,

35 control objectives are identified associated with

protecting protect the confidentiality, integrity, and

availability of information. These control objectives are

fairly high level in nature, and these objectives are

supported by a total of 114 controls. There are actually

significantly more than 114 controls identified, however, in

the guidance.

Conclusions

Converting from a paper-based system to e-tendering can

have many benefits, as indicated at the beginning of this

paper. One of those benefits is increased transparency. This

is achieved through the great capabilities of e-tendering for


26th


NOTES maintaining an audit trail. And since this audit trail is

electronic in nature, it creates a very strong potential for the

use of data analytics. Data mining in an e-tendering system

is filled with possibilities.

But, e-tendering should never be viewed as foolproof or as

a complete solution to fraud and corruption risks. Far from

it. It changes the game, closing some opportunities for

fraud, changing others, and even creating some new ones.

Fake bids from shell companies are reportedly even greater

in e-tendering systems than paper systems in some cases

(perhaps a good argument for stronger prequalification

steps).

There are also internal obstacles in making such a

conversion. Organizations should never opt for e-tendering

without first performing a top-to-bottom assessment of

their operations, processes, and capabilities. A poorly

implemented e-tendering system will be worse than a paper

system.

In spite of these obstacles, however, most organizations

that have made the switch from paper to electronic systems

have expressed satisfaction with their decision.