Wednesday, August 25, 2021

10 Ways to Identify Accounts Payable Fraud


10 Ways to Identify Accounts Payable Fraud

This article was updated December 2023. Download the updated article now!

by Christine L. Warner, President of Automated Auditors, LLC

When Sarbanes-Oxley was passed in 2002, many companies were forced to take an in-depth look at internal Accounts Payable controls. Implementing internal controls takes time, but may prove to be a very cost-effective measure if any fraud or leakages are found. Here are a few approaches you can try to tighten up your A/P audit. They require some degree of data mining and programming capability but are fairly straightforward to implement.

1) Duplicate Payments

Duplicate payments in most cases may not be fraud-related, but continue to be a significant A/P leakage that is both preventable and recoverable. Mark Van Holsbeck, Director of Enterprise Network Security for Avery-Dennison, estimates that corporations make duplicate payments at the rate of 2%. Two percent may not sound like much, but if your company’s A/P invoices total $75 million, duplicate payments may account for $1.5 million. Take a look at the statistics:
  • Medicare - The Dept of Health & Human Services’ Inspector General estimated that Medicare made $89 million of duplicate payments in 1998.
  • Cingular - We have once again discovered that payments made online as an Electronic funds payment for TDMA accounts, have been deducted twice from the customer's checking account. 
  • Medicaid - We identified at least $9.7 million in such duplicate payments during our two-year audit period, and estimated that as much as $31.1 million in additional duplicate payments may have been made.” 

In a rush to find the overpayments, many companies have emerged: A/P Recap, Automated Auditors, AP Recovery, ACL, CostRecoverySolutions, and more. That these companies are thriving is a testament to the fact that duplicate payments still occur at an alarming rate.

Many software packages have some controls over duplicate invoices but it usually takes some in-depth querying to find them all. For example, many accounting packages do a duplicate invoice check and prevent you from keying in a duplicate invoice number for the same vendor. But just add an “A” to the invoice number or change a penny and you are on your way to a duplicate payment. Another common mistake is found in vendor files; duplicate vendor numbers for the same vendor is the number one cause of duplicate payments. 

Here is what we recommend for developing an accurate and comprehensive dupe payment report:

1)            Implement the 5 basic dupe searches if you haven’t already.  These are:


Vendor #

Invoice #

Invoice Date

Invoice Amount


























A programmer in your IT department will be able to help you with the SQL code for these joins.  The SQL code will look something like this to create the first report “EEEE”:








              A.ID <> B.ID

The ID field should be a unique record identifier to distinguish one record from another.  In Microsoft Access, these fields are usually created by using the data type “AutoNumber”.  In open code, a field such as this can be easily created using a counter and incrementing it by 1 for every record (COUNTER = COUNTER + 1).

2)         Implement some fuzzy-matching

Implementing “similar” fuzzy-matching instead of exact matching is what makes this approach more accurate and powerful than many.  We define “similar” to mean the following: 

Invoice numbers are considered similar if they are exact after stripping out any

zeros and any alphabetic characters as well as punctuation characters.

Invoice dates are considered similar if the difference between the dates is less than a designated amount such as 7 days.  For example, if you entered "7" days for the date tolerance, then all invoices with a date different of 7 or less would be considered similar.  We generally set the date tolerance to 21 days to catch duplicate payments made 3 weeks apart; this often eliminates catching legitimate rent payments. 

Amounts are considered similar if they meet one of three criteria:

  1. the amounts are 5% +/- the other amount
  2.  one amount is exactly twice as much as the other, i.e.  $220.15 and $440.30
  3. the amounts start with the same first 4 digits, i.e. $123.45 and $1,234.55

Try using similar matching on the invoice number, date, and amount fields when you conduct your next duplicate payment audit – your reports will be shorter and more accurate!

2) Benford’s Law

What is it?

Benford's Law (which was first mentioned in 1881 by the astronomer Simon Newcomb) states that if we randomly select a number from a table of physical constants or statistical data, the probability that the first digit will be a "1" is about 0.301, rather than 0.1 as we might expect if all digits were equally likely. In general, the "law" says that the probability of the first digit being a "d" is

Where ln refers to the natural log (base e).  This numerical phenomenon was published by Newcomb in a paper entitled "Note on the Frequency of Use of the Different Digits in Natural Numbers", which appeared in The American Journal of Mathematics (1881) 4, 39-40. It was re-discovered by Benford in 1938, and he published an article called "The Law of Anomalous Numbers" in Proc. Amer. Phil. Soc 78, pp 551-72. [1]

You can actually re-create this function in Excel quite easily.  In one column, type 1, 2, 3, through 9, making 9 rows in cells A1 through A9.  In the second column, cell B1, type the function “=ln(1 + 1/A1) / ln(10)” and copy this function for cells B2 through B9 and it will create the probabilities.

How is it used to identify fraud?

If we know the normal frequency of digits, then we can identify digit frequencies that violate that normal behavior.  For example, Benford concluded that, out of a group of numbers, the first digit will be “1” about 30% of the time.  Similarly, using the same function, we can expect the first digit to be “8” about 5.1% of the time.  Expected frequencies for each first-digit of the invoice amount are shown in the graph below: 

If we review Accounts Payable invoices and determine the first digit of the invoices is “8” 50% of the time, then we may have either many legitimate payments that start with “8”; or we may have fictitious invoice amounts.  Fraudsters will often create an amount that starts with a higher number, like 8 or 9, not knowing that auditors are now equipped to identify these abnormal payments. 

3) Rounded-Amount Invoices

People who commit fraud often create invoices with rounded amounts, which are invoices without pennies.  Yes, you would think the fraudster would have “cents” enough to do otherwise.  An easy way to identify rounded-amount invoices is to use the MOD function in Excel.  Suppose your invoice amount is $150.17; then MOD(150.17,1) gives you the remainder of dividing 150.17 by 1, which is .17.  So, using the MOD function with a divisor of 1 on a no-pennies amount would leave us a remainder of 0.  Additionally, try to rank your vendors by those with a high percentage of rounded-amount invoices.  To do this, just calculate each vendors’ number of rounded-amount invoices and divide it by the total number of invoices for that vendor, obtaining the percentage.  Then rank by descending percentage to review the most suspicious vendors first.    

4) Invoices Just Below Approval Amounts

People who commit fraud are not always the “sharpest knife in the drawer.”  Suppose an A/P clerk knows the different dollar thresholds for management approval.  For example, a supervisor may only be allowed to approve invoices of $3,000 or less, while a manager may be allowed to approve invoices of $10,000 or less, and so on.  Suppose this A/P clerk and a manager decide to skim off some extra dollars together.  What is the easiest way to get the most money?  Create an invoice just below the approval level of that manager:  $9,998 when the approval level is $10,000; or $2,978 when the approval level is $3,000. 

To identify these potentially fraudulent invoices, try this:  identify invoices that are 3% (or less) LESS THAN the approval amount.  For example, if your approval amount is $3,000, then any invoice that is between $2,910 and $2,999 would be flagged as suspicious.       

5) Check Theft Search

Most Accounts Payable departments conduct a reconciliation of Accounts Payable with the monthly Bank Statement to identify any discrepancies between the two.  This process can also be instrumental in identifying check fraud.  One simple way to spot potential check fraud is to identify missing check numbers or gaps in reconciled checks numbers.  This is usually indicated on the bank statement with a ‘*” or ‘#’ to indicate the check number is not sequential. 

Another more advanced way is to conduct a reverse Positive Pay electronically.  By merging your check register, A/P file, and bank statements together, you have the power to identify stolen checks.  Better yet, if your bank has OCR (Optical Character Recognition) abilities, then you can identify the actual payee on the check. 

Speaking in technological terms, you have 3 different data bases describing 1 activity.  Use the 3 data sources to find any discrepancies in the 1 payment.  If your check numbers are unique, try merging all 3 data sources by the check number and compare each of the following fields:


-check amount

-check date

Using SQL code or another programming language, identify all of the checks that are in one data base and not the other.  In addition, identify all of the checks that are in all 3 data sources but have different payee names or different amounts and dates.   

Figure 1:  Bank Reconciliation Process

6) Abnormal Invoice Volume Activity

Monitoring vendor invoice volume is one way to alert you to abnormal behavior.  Rapid invoice volume increases may indicate a legitimate increase in business, but also may indicate that a fraudster has become more confident in stealing money.  Either way, the increase may warrant further investigation.  Suppose a vendor has 2 invoices one month and 70 the next – you may want to know why even if the reason is not a fraudulent one. 

To calculate the percent increase in invoice volume from month to next month, find the difference in number of invoices and then divide by the number of invoices in the first month.  In our example, going from 2 invoices to 70, the difference (68) divided by the number of invoices in the first month (2) represents a 3,400% increase.  Setting the threshold percentage is the key here; when doing audits, we like to set the threshold percentage at 300% or higher.  Setting the threshold at 300% will catch increases from 3 to 13, which may not be interesting, so you may also want to set a minimum number of records that you are interested in, such as 50 as your second month’s number of invoices.  Setting the threshold at 300% will also catch more interesting increases, such as 50 to 220. 

7) Vendors with Cancelled or Returned Checks

Cancelled and returned checks do occur in the course of a normal Accounts Payable month.  What is more uncommon is a vendor with many cancelled checks or a regular pattern of cancelled checks.  Cancelled checks are usually legitimate transactions; however, a cancelled check can be returned to the wrong hands and re-written to the fraudster.  Below is a true story of how a clerk turned a returned check into a fraudulent one:

“An uncashed disbursement check was returned to an accounts payable clerk for disposition because she originated the invoice entry. The clerk put the check in her desk and forgot about it for several months. Upon cleaning her desk, she discovered the returned check. When she checked the paid history, she realized the supplier had returned the check when it was determined to be a duplicate payment of an invoice. She also noticed that the payee name had been printed slightly below "Payee" on the check. With a bit of effort she managed to align the check and insert her name above the original payee in a print similar to the original, along with an "or" designation following her name. The fraud was caught by an accounts payable auditor searching for duplicate payments and who was asked by the supplier to furnish proof of duplicate payments by providing copies of both cancelled checks. “

This algorithm is easy to implement.  Calculate the number of cancelled or returned checks for each vendor and divide by the total number of checks for that vendor.  Then, sort this list by descending percent so that your most suspicious vendors are at the top of the report

8) Above Average Payments per Vendor

This algorithm identifies invoices that are way above average for a particular vendor.  Suppose a vendor normally has invoices ranging from $1,000 to $3,000; suddenly an invoice shows up for $25,000.  You may want to investigate this abnormality and can do so using this alert pattern. 

This algorithm is also easy to implement:  For each vendor, calculate the average and standard deviation of the invoice amount.  Then, calculate a z-score for each invoice amount:

            z-score  = (invoice amount – average amount) / standard deviation

Then, flag all vendors with a z-score above 2.5, indicating the payment is more than 2.5 standard deviations above the mean.  If your report is still too large, try increasing the z-score threshold to 3.0 or higher.

Using this algorithm alone, we were able to catch employee fraud occurring in a mid-size health manufacturing company.  The fraudulent employee was receiving a paycheck every other week in the amount of $500 to $1,000 when, all of the sudden, 3 invoices for $40,000 each appeared.  Because $40,000 was significantly greater than this employee’s average payment, the payments were flagged for further research.  What made the invoices even more suspect was that they occurred on or near the same date and had no invoice number.  After alerting the new controller of the suspect payments, the new controller was aware that an employee had left in a legal “scuffle” but was not aware of the $40,000 checks that were stolen.

9) Vendor / Employee Cross-Check

“Trust but verify”.  Most employees are generally trustworthy!  But it does not hurt to conduct some data mining to make sure they are.  Here is a simple approach to cross-check your vendor and employee files to see if perhaps an employee has set up a fictitious vendor.      

Try merging your vendor file and employee file by the following variables:

  • Address
  • Tax ID Number
  • Phone Number
  • Bank Routing Number

If you have a good programmer, try doing some fuzzy-matching on these fields as well.  For address, try extracting JUST THE NUMBERS in the street plus the zip code, and then compare these numbers.  This eliminates matching on noise words such as “Drive” and “Suite”. 

Also, try doing some fuzzy-matching on tax ID number as well, just in case there was a typo in the data entry.  If you specify that the tax IDs are equal if they are even 1 digit off, you may catch a vendor/employee ring!

This algorithm made it possible to detect a real employee (“Kathy”) whose SSN was the same as a company EIN (tax ID number).  The company name, which we will call “ABC Inc”, happened to be on the same street, city, and state as a person with the same last name as the employee (presumably her spouse).  Without this pattern, the employee fraud may have gone undetected.

10) Vendors with a Mail Drop as an Address

This algorithm compares vendor addresses with mail-box drop address such as “Mail Boxes, Etc”.  Some fraudsters will use mail drops as their address instead of a P.O. Box, to hide their fraudulent activity.  Not all of the vendors appearing on this list will be fraudulent, because a vendor may in fact be right next to a Mail Boxes, Etc.  However, the list provides a unique approach to reviewing vendors who also may show up on another alert list. 

(To obtain a copy of the mail-drop table, contact the author of this document).  Or, if you have time, you can also search for Mail Boxes, Etc. on and put the addresses in a database and then conduct your address matching accordingly.


Occupational fraud is a growing problem.  In fact, the Association of Certified Fraud Examiners (ACFE) estimates that 5% of all revenue is lost to occupational fraud every year.  Fraud is not 100%preventable but there ARE steps you can take to both prevent and detect fraud on an ongoing basis.  At a minimum, scan for duplicate payments every 6 months, and perform an annual cross-check between your vendor file and employee file.  With these two steps alone, you may be able to pinpoint leakages that otherwise may go unnoticed.

About the Author

Christine L. Warner is the President of Automated Auditors, LLC, and has over 20 years of experience in data mining, fraud detection, statistical analysis, and complex customized programming. She has authored several articles on using data mining to detect fraud, such as "Death Fraud: This Identity Theft is Alive and Kicking", co-authored with Cheryl Hyder, for which they received the Hubbard award in 2011 for most influential article published in Fraud Magazine (ACFE). Christine has served as the Deputy Project Director of a Medicaid Integrity Contractor audit for the entire Northeast region of the U.S., and has personally developed over 50 healthcare fraud algorithms, as well as an entire suite of Accounts Payable fraud algorithms.

Disclaimer: The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®

Tuesday, January 19, 2021

Quincy Woman Admits to Public Benefits Fraud


DEDHAM, MASS. — A Quincy woman has been ordered to spend a year under house arrest and pay a six-figure restitution after pleading guilty last week to fifteen indictments of defrauding public benefits programs and providing false or misleading information, State Auditor Suzanne M. Bump and Norfolk District Attorney Michael W. Morrissey announced today.

Read the rest of the story!

Friday, December 25, 2020

6 Tips for Conducting Virtual Internal Audits


6 Tips for Conducting Virtual Internal Audits

Bryan Kesler, CEO at CPA Exam Guideis a passionate CPA exam mentor with a mission of helping all CPA Candidates struggling to pass the CPA exam find success.

COVID-19 has impacted almost every aspect of today's work environment, including on-site internal audits. More and more organizations and CPAs are trying to adjust to virtual internal auditing to drive change and increase long-term resiliency.

We focus on the best practices for performing internal audit services in a remote environment. But let us first start with why virtual audits are so important for organizations today.

The Need for a Remote Audit

Organizations are subject to internal audits for a variety of reasons, including:

  • Assessing regulations, compliance with standards, and adherence to requirements/specifications

  • Evaluating process and system performance

  • Confirming conformance with contractual obligations

  • Evaluating the effectiveness and adequacy of the quality management system

However, with strict travel restrictions brought by COVID-19, traditional on-site audits are no longer a feasible option for many. Virtual or remote audits offer an organization with a viable alternative to ensure continued compliance with regulatory requirements.

Virtual audits are performed virtually rather than on-site with a client. Although it is not a completely new concept, auditors are required to quickly adapt their audit procedures to fulfill their obligations while working in a virtual setup.

To successfully navigate their internal audit requirements, companies today should consider deploying various digital technologies to become smarter, more cost-efficient, and more agile about offering services that make an impact.

6 Top Tips for Conducting Virtual Internal Audits

Here are some top tips for conducting virtual internal audits:

1. Revisit the Risk Assessment Methodology and Plan the Audit Schedule

First and foremost, audit teams may need to reprioritize and reassess their internal audit processes and plans. With the pandemic turning everything upside down, it's time to revisit your risk assessment methodology to keep pace with the changing landscape.

This includes collaborating with key stakeholders to identify changing or new risks and determining how to effectively work with the business in planning mitigation strategies.

Further, work on the complete audit schedule and logistics. The basic requirements for an internal audit program in any organization are still prioritized based on the seriousness of the process, risk, and internal or external performance trends. 

The benefit of an internal audit is that you can shift your focus on the highest risk processes. This way, all the audit objectives can be met and managed in a streamlined way.

2. Create a Clear Audit Plan

Virtual audits bring several deterrents to the table, including bogged down Wi-Fi and internet connections, slow-functioning systems due to teleconferencing apps, and more.

Therefore, audit teams must set clear expectations of the evidence they wish to see with an audit plan. Plus, decide on suitable expectations for start times, the total duration of the live audit time, and the closing meeting time.

3. Invest in Collaborative Tools

Team efforts and relationship management play a key role in successfully navigating the process of remote internal audits. However, it is quite challenging to collaborate and connect with various stakeholders, including colleagues and process owners, when working virtually.

Invest in technology-driven collaborative tools like videoconferencing with options such as recorded meetings, screen-sharing, and more. Thus, you can remove distance barriers and review procedures or documents together in real-time.

Leveraging these tools also allow auditors and CPAs to pick up on visual cues typically observed during live interviews. This kind of real interaction plays a significant role in building rapport before with auditees, which is a crucial part of the internal auditing process.

4. Establish Standards for Secure Access to Key Sources of Business Data

Like traditional onsite audits, virtual audits require detailed and careful planning on the part of both the auditor and the organization. 

The organization needs to collect all the documents related to online tax filing and similar compliance records before the internal financial audit. Companies must then identify the best way to present that information remotely. A few options entail an email transfer ahead of time, sharing the screen during a web meeting, and allowing secure access to company Intranet/shared directory space.

Some other things to take care of include:

  • Identify specific focus areas for the audit well ahead of time using a site map as a guide. This is to ensure that all the required areas are covered for conducting a smooth suit.

  • It is best to schedule interviews in advance to ensure availability. However, there should also be an option to conduct interviews on an ad hoc basis as the need arises.

5. Identify Opportunities for Continuous Monitoring Capabilities

With most internal audit teams working virtually, the value of analytics-driven process analysis and exception-based monitoring is becoming more and more evident. 

Internal audit departments possessing such robust capabilities can demonstrate more flexibility and greater resiliency in such haphazard global situations. Resultantly, it is important to target analytics and automation toward audit areas that require standardized and repeatable tests.

Apart from identifying these opportunities, make sure to reflect on the existing use of digital tools and identify any need for testing workarounds in the foreseeable future.

6. Redefine the Communication and Reporting Model

As internal audit services and processes move online, it becomes imperative to redefine the audit team's reporting and communication strategies. What this implies is modifying the means and frequency of communicating with stakeholders.

There is an enhanced need to compile a list of all stakeholders who need to stay informed, alongside increasing the frequency of communication.

In Conclusion

Organizations across the globe are attempting to establish what the new normal looks like in terms of employee health and safety, business continuity, operating practices, and compliance.

For many organizations, such measures are implemented on a temporary basis. However, if you're working in accounting, you must face the reality that these new processes are likely here to stay.

Internal audits are one aspect of the overall system that can be seamlessly transitioned to the virtual space. As long as the right strategies and robust technology are in place to ensure ongoing compliance, companies can come out stronger on the other side. 

Therefore, it is important to set-up the virtual audit process as thoroughly as possible with long-term success in mind. 

Author Bio:

Bryan Kesler

Bryan Kesler, CPA is a passionate CPA exam mentor with a mission of helping all CPA Candidates struggling to pass the CPA exam find success. As a business owner and licensed CPA, his priority was to find a firm that could manage his accounting and provide him with CFO services. He understood that if he was to stay focused on his singular goal of helping as many CPA candidates pass the CPA exam, he shouldn’t be the one to handle his accounting or tax services.

Friday, April 27, 2018

Fraud Never Suffers from a Hiatus

Former PTA Treasurer Sentenced to 9 Months in Jail for Embezzlement

Washington Post Thursday April 26, 2018

It is important that auditors never become complacent about fraud in the workplace. The former treasurer of a countywide PTA in Maryland's largest school system embezzled more than $39,000 from the group.

How did she do it?  She wrote checks and altered bank statements to hide her crime. She stole money from a school where more than 2/3 of the students qualified for free or reduced priced meals. Shame on her!

Over what time period did the fraud occur? The fraud extended for more than 6 years.

What was her punishment? She had to repay funds to the PTA for their deductible, pay the Insurance company that paid out funds to the school group and more.

Read the complete story here!

Thursday, January 4, 2018

Training Options for Internal Auditors

Auditors have a plethora of options when it comes to training. These options include bringing trainers to your location for on site training, conferences, or sending your auditors to a training class. These options usually include additional costs such as the cost of the trainer, conference registrations, class fees, travel, lodging, meals and incidental costs. Another option is online training or Webinars. Online training may be free or low cost and avoids having your audit staff leave the office as they can participate from their desktop or in a shared setting.

AuditNet®, the global resource for auditors and accountants has teamed with subject matter experts to provide online training solutions. Thousands of auditors have participated in our Webinars and earned free or low cost CPE.  We record all Webinars and provide you with a link to the file so that you can review the learning concepts in a just in time educational format in your time zone (for our international clients). AuditNet® subscribers can earn CPE by viewing recordings on demand through a discounted cRisk Academy subscription.

The 2018 Webinar schedule is now available and registrations are open. Topics included in our 2018 schedule include a 10 Webinar series on Cybersecurity, Ethics for Internal Auditors, audit data analytics, new auditor training and more. Event listings are available at AuditNet®.

For more information contact AuditNet®