Louisiana’s legislative audit uncovered $1.3 million in diverted public funds. The mechanism was familiar to anyone who has worked in State procurement: weak controls at the points where supplier records get created, modified, and paid. The diversion did not require sophisticated hacking. It required the absence of a control.
Every State finance organization that read the Louisiana story asked the same question. Could that happen here? For most, the honest answer is yes. Vendor payment fraud prevention is not a single product or a single policy — it is a set of upstream controls that close the gaps before they become headlines. This post discusses where those gaps live, why they persist, what a modern control framework looks like, and which technology stack is configurable today on platforms most State agencies already own.
Why Existing Controls Fail
The popular image of fraud is a hooded attacker breaching a firewall. The reality is more subtle and more expensive. The highest-dollar fraud vector in State and local government payments is not a network breach. It is a banking change.
Here is the pattern, and it is consistent across every documented case:
- A legitimate supplier exists in the vendor master.
- An attacker — sometimes external, sometimes internal — submits a banking update on that supplier’s record.
- The update is processed without dual-control re-verification.
- The next payment cycle routes funds to the attacker’s account.
- By the time the legitimate supplier complains about non-payment, the funds are gone.
The Louisiana incident followed this pattern. So have similar incidents in other states that received less national coverage. The fraud does not exploit a technology weakness. It exploits a process weakness — specifically, the absence of mandatory dual-control verification at the moment a banking record changes.
The 60 Minutes coverage that followed the Louisiana audit made the broader point: federal and State governments lose hundreds of billions of dollars annually to fraud schemes that exploit weak supplier onboarding, verification, and payment-update processes. The recommendation was specific. Implement rigorous processes that manage and monitor supplier information before onboarding occurs and before any payments are made.
Most State procurement organizations already have controls. The controls fail not because they are absent but because they are designed for a different operating reality than the one they now face.
Three structural conditions overwhelm traditional controls:
Supplier volume is growing faster than headcount.
A typical State Department of Finance & Administration manages hundreds of thousands of supplier records, onboards thousands of new suppliers per year, and processes tens of thousands of supplier modifications per year. Most team don’t have the bandwidth to manually verify every change with the rigor required to prevent fraud. So the team triages — and the triage process becomes the attack surface.
Verification is sampled, not continuous.
Existing audit programs sample supplier records to check for expired insurance, lapsed certifications, and stale W-9s. Sampling means most records are unchecked most of the time. Document compliance failures are the most common audit citation in State procurement for a reason.
Fragmented procurement systems make detection harder.
When supplier data lives in one system, payment data in another, and approval workflow in a third, even an alert investigator has to reconstruct the trail across multiple sources. Fragmented procurement systems hide the patterns that would otherwise expose fraud in flight. The same fragmentation that frustrates legitimate users frustrates fraud detection.
The result is predictable. Controls exist on paper. Controls fail in practice. The next audit finds the same as the last.
The Upstream Control Framework
Vendor payment fraud prevention does not start at the payment file. It starts at the moment a supplier first touches your environment. By the time a payment is about to be released, the control points are history. This is the most important conceptual shift for State CFOs and procurement leaders thinking about fraud prevention: the controls that matter need to be upstream.
A modern upstream control framework has four layers:
1. Identity Verification at Onboarding
Every new supplier should be verified against NIST 800-63-3 IAL2 standards at the point of registration. That means government ID capture, document authentication against authoritative databases, biometric liveness check, biometric match against the ID document, and knowledge-based authentication. The verification produces a risk score with contributing factors — each independently auditable.
This is not a nice-to-have. It is table-stakes for any State procurement organization that wants to claim it is preventing fraud. Manual identity review at the volumes a State operates at is not feasible, and the absence of automated IAL2 verification is itself an audit finding waiting to happen.
2. Bank Account Ownership Validation
The supplier’s submitted bank account must be verified as belonging to the supplier – not just verified as a valid account. The validation needs to cover four things: account ownership, TIN match against IRS records, duplicate detection against the existing supplier base, and fraud intelligence against the global financial network. Modern validation services return all four checks via API in two to three minutes. There is no operational reason to skip them.
3. Mandatory Dual-Control Re-Verification on Banking Changes
This is the control that closes the Louisiana fraud vector. When a banking change is submitted on an existing supplier record, the system must require both identity re-verification at IAL3 (elevated assurance) and new-account ownership validation before the change activates. The existing banking record remains live until both verifications pass.
This single control, applied consistently, would prevent the majority of documented vendor payment fraud incidents in State government. It is also the control most often missing from existing supplier management systems.
4. Continuous Document and Compliance Monitoring
Insurance certificates expire. Licenses lapse. W-9s go stale. Each lapse is a potential payment gate failure and a recurring audit citation. Continuous monitoring – with proactive supplier notification 14 days pre-expiration and automatic payment hold on non-compliant suppliers – converts a recurring audit exposure into an automated gate. Auditors get exception-based reporting instead of comprehensive sampling.
These four layers are mutually reinforcing. Identity verification stops the synthetic supplier. Ownership validation stops the misdirected payment. Re-verification stops the banking change fraud. Continuous monitoring stops the duplicate payments and compliance lapses that drain budgets even when no fraud is occurring.
What the Results Look Like
The numbers matter less than what they represent. A procurement organization that previously absorbed manual effort at a 1:1 ratio with supplier volume now absorbs growth without proportional headcount. The supplier onboarding process becomes a controlled, audited workflow rather than a queue of unverified email attachments. The fraud vectors that consumed Louisiana’s $1.3 million are closed at the gate.
The outcomes from implementing this framework are measurable in months, not years. Departments that model this approach against current processes can expect:
- Standard onboarding cycle reduced from 10 to 15 business days to under 30 hours
- Staff requests for missing information reduced by 75%
- Identity and bank verifications are 75% touchless
- Bank validation is compressed from days or weeks to minutes
- Audit package generation reduced from a multi-system forensic search to under one minute
- Banking-change fraud control elevated from none to mandatory dual re-verification
The numbers matter less than what they represent. A procurement organization that previously absorbed manual effort at a 1:1 ratio with supplier volume now absorbs growth without proportional headcount. The supplier onboarding process becomes a controlled, audited workflow rather than a queue of unverified email attachments. The fraud vectors that consumed Louisiana’s $1.3 million are closed at the gate.
Why This Matters Beyond Fraud
Vendor payment fraud prevention is the headline reason to modernize. It is not the only reason. The same upstream controls that prevent fraud also produce a series of operational benefits that justify the investment independently:
Audit readiness becomes continuous, not episodic.
When every supplier action — identity check, bank validation, approval, banking change — lands on a single auditable timeline, audit packages generate in under a minute. The forensic email search disappears. The State Auditor’s office gets evidence on demand.
Supplier performance becomes measurable.
Once supplier records are clean and verified, supplier performance management becomes possible. A vendor scorecard that reflects real delivery, quality, and compliance data — instead of disconnected spreadsheets — turns supplier management into an accountable program. High performers rise in sourcing recommendations. Underperformers get a structured remediation path.
ERP systems are preserved, not replaced.
A modern control framework does not require ripping out existing systems; the current systems of record stay in place – and are often improved. A workflow layer becomes the system of action — where the verifications happen, where the decisions get documented, where the audit trail lives.
The Partner Stack That Makes This Work
This control framework is not theoretical. It is configurable today on a platform many State agencies already own, with two specialized partners that integrate natively. For State CFOs and CIOs evaluating their options, the composition of the stack matters — because the integration pattern is what produces the single auditable timeline that closes the audit exposure.
ServiceNow: The System of Action
ServiceNow Source-to-Pay — specifically the native Supplier Lifecycle Operations (SLO) and Sourcing & Procurement Operations (SPO) modules — provides the workflow, case management, and audit backbone for the entire framework. This matters for operational reaons; ServiceNow is already deployed in the majority of State IT environments for service management, which means the up-front investment, the security accreditation, and the operational support model are already in place. Extending an existing ServiceNow footprint to cover supplier lifecycle is faster, cheaper, and lower-risk than standing up a net-new solution. The outcome for the state: a single auditable timeline per supplier, exportable in under a minute, built on a platform the State Auditor’s office already trusts.
1Kosmos: Identity Verification at Government Scale
1Kosmos delivers NIST 800-63-3 IAL2 and IAL3 identity proofing with the specific certifications that matter for public sector deployment — FedRAMP High, federal customer references including the Department of Defense, and document template coverage spanning 190+ countries. For a State agency, the practical implication is that identity verification is not a build, it is a configuration. The 50+ document validation checks per submission, biometric liveness, and zero-second data retention policy are operationally ready on day one. The outcome for the State: every new supplier verified to a federal-grade assurance standard, every banking change re-verified at IAL3, with the audit evidence to defend every decision to a legislative committee.
RelishIQ: Banking and Supplier Validation Without the Wait
RelishIQ closes the bank account ownership question — the specific control point where Louisiana’s $1.3 million was lost. The platform returns TIN match, account ownership, duplicate detection, sanctions screening across 137 to 140+ global watchlists, and fraud intelligence via API in two to three minutes. The current public sector client list includes the State of Arkansas, Maryland, and multiple municipal governments — meaning the integration patterns, the data feeds, and the operational playbooks are already proven in State environments. The result: the highest-dollar fraud potential in supplier payments is closed at the moment of change, with a verification turnaround that does not slow legitimate suppliers.
Any one of these components delivers value independently. The reason State agencies should evaluate them together is the integration pattern. ServiceNow becomes the system of action where the work happens. 1Kosmos and RelishIQ embed natively — every identity check, every bank validation, every fraud signal lands on the same supplier record, the same case timeline, the same audit trail. The State manages a single support relationship, not three. The auditor sees a single evidence package, not three reports stitched together. The supplier sees one experience, not three handoffs. This is the architectural decision that turns three vendors into one platform — and one platform into the control framework state finance organizations have needed for a decade.
The Cost of Waiting
The cost of vendor payment fraud is not theoretical. Louisiana documented $1.3 million in a single audit cycle. Other States have documented similar or larger losses with less public coverage. The cost of implementing a modern control framework is a fraction of a single prevented incident.
The harder cost is reputational. State procurement organizations that experience a documented fraud diversion face legislative scrutiny, public coverage, and a multi-year credibility recovery. The CFO who prevented the incident is invisible. The CFO who experienced it is on the front page.
Modern vendor payment fraud prevention is no longer a procurement nice-to-have. It is a baseline expectation from State legislatures, auditors, and the public. The organizations that move first set the standard. The organizations that wait become the case study someone else writes.
What to Do Next
The first step is honest assessment. For any State procurement organization, three questions establish where you actually stand:
- When a supplier submits a banking change on an existing record, what is the required verification process — and is it dual-control with both identity re-verification and account ownership validation?
- What percentage of your supplier verifications today are fully automated versus manual?
- When an auditor requests the complete decision trail on a specific supplier, how long does it take to assemble the package?
If the answers to these questions are not rock solid, they will concern your auditors. The good news is that the technology to close every one of these gaps exists today, is configurable on platforms most State agencies already own, and produces measurable outcomes within the first implementation phase.
The Louisiana incident was a warning. It does not have to be your fate.
