Uncovering accounts payable fraud

Even if you're already using fuzzy matching and algorithms, here are some ways to utilize the classic methods and avoid some common pitfalls of accounts payable fraud.

While conducting a duplicate payment audit for a medium-sized health-care product manufacturer, we noticed multiple $40,000 payments made out to one person on the same day. This made us curious, so we ran a mathematical algorithm to identify above-average payments per vendor and the same payments floated to the top of the report. The person turned out to be an employee who typically received a bimonthly paycheck of between $500 and $1,000. Indeed, $40,000 seemed unusual - especially three payments made on or near the same day! It was also highly unusual that there were no invoice numbers on these high-dollar payments. Most accounts payable systems won't accept an invoice entry without an invoice number: in fact, many A/P clerks are coached to enter the date if no invoice number is provided. Well, we got lucky in this situation because the client had given us its check register (instead of an A/P extract), which listed all checks issued, including checks with missing invoice numbers. Using cutting-edge data mining technology, we were able to import the electronic version of the check register and create a database from it. Then using this database, we were able to implement time-tested fraud detection algorithms and uncover the fraud. (We used SAS to complete the task, but there are other text-mining software packages such as Monarch that can be utilized).

After speaking with the new controller of the company, we found that the employee had already left. The new controller mentioned a legal mishap, but she didn't know about the $40,000 checks.

Do you want to stop this type of fraud before your employees run away with the cash? If so, here we'll introduce some approaches to identifying potential accounts payable duplicate payments and fraud using "fuzzy matching" and algorithms. (See "Fuzzy Matching and Algorithm Basics" at the end of this article.)

ROOTING OUT IMPROPER PAYMENTS
The volume of financial transactions occurring in the average accounts payable department is always increasing. With that growth comes an inherent risk of improper payments, which include inadvertent errors such as duplicate payments and miscalculations, payments for unsupported or inadequately supported claims, payments for services not rendered, missed discounts, missed credits, and payments resulting from outright fraud and abuse.

In fiscal year 2000, the U.S. General Accounting Office (now the Government Accountability Office) concluded that the U.S. government made about $19 billion in improper payments or about 16 percent of the total expenditures for the year.¹  

The Sarbanes-Oxley Act is forcing many companies to take an in-depth look at internal accounts payable controls. Implementing and monitoring internal controls might be an expensive proposition in time and money, but if fraud or leakages are found, your time and money have been well spent.

Here are eight different ways to detect potential accounts payable fraud.

NO 1. DUPLICATE PAYMENTS
Duplicate payments in most cases aren't related to fraud but continue to be a significant form of leakage that's both preventable and recoverable. Mark Van Holsbeck, director of enterprise network security for Avery-Dennison, estimates that corporations make duplicate payments at the rate of 2 percent of total purchases.² Two percent may not sound like much, but if your company's purchases total $75 million, duplicate payments would account annually for about $1.5 million of your operating budget.

Take a look at some of the statistics:

Medicare
The Department of Health & Human Services' Office of the Inspector General estimated that Medicare made $89 million of duplicate payments in 1998.³  

The General Accountability Office (GAO), in a report received from HHS/Medicare, estimates that the total amount of improper payments made by Medicare totaled $11.6 billion in 2003 and $21.7 billion in 2004.⁴  

Cingular
"We have once again discovered that payments made online as an Electronic funds payment for TDMA accounts, have been deducted twice from the customer's checking account."⁵  

Medicaid
"We identified at least $9.7 million in such duplicate payments during our two-year audit period, and estimated that as much as $31.1 million in additional duplicate payments may have been made."⁶  

In addition to Sarbanes-Oxley, the Check Clearing for the 21st Century Act, passed on Oct. 28, 2004, may have actually increased the chances of making a duplicate electronic debit. The new legislation, designed to decrease the time it takes for checks to clear, allows banks to freely exchange electronic images of checks. Because the image and a substitute check may be in circulation simultaneously, this might increase the chances of a duplicate debit occurring. An article in the ACFE's e-newsletter, The Fraud Examiner, explains this potential risk:

"A risk resulting from a bank's decision to create IRD's is the possibility of double debiting a consumer's bank account. In some cases, the electronic image and a substitute check will be in circulation at the same time. There is a possibility that the consumer's account can be debited twice for the same amount written on the original paper check. Thus, many banks are deploying software that quickly detects double-debits."⁷ 

David Walker, president and CEO of the Electronic Check Clearing House Organization (ECCHO, Dallas), disagrees. He argues that decreasing the time it takes for checks to clear will, if anything, decrease the opportunity for fraud. He says:

"The fraudsters have the ability to make copies of checks, and they do. That problem doesn't go away. It was there pre-Check 21. Banks have to realize when a duplicate debit goes through, no matter what form … the longer it takes to clear the item, the longer it takes to commit fraud.⁸  

Either way you view Check 21, duplicate debits are still a problem for many financial institutions.

How to identify and control duplicate payments
In a rush to address the growing problem and find overpayments, many companies have offered computerized solutions. Utilizing various methodologies and computer-aided programs to ferret out the alarming number of duplicate payments, these companies are finding that there's no shortage of business.

Many accounting software packages have some pre-packaged controls designed to prevent duplicate invoices and payments but it usually takes some in-depth querying and further analysis to identify them. For example, many accounting packages check for duplicate invoices and prevent you from keying in a duplicate invoice number for the same vendor. But just add an "A" to the invoice number or change a penny on the invoice and you're on your way to a duplicate payment. Another common mistake is found in vendor demographic files; duplicate vendor numbers for the same vendor is the No.1 cause of duplicate payments.

Common mistakes and basic solutions
There are a couple of common pitfalls that, if avoided, will strengthen your ability to detect duplicate payments. Here are three common mistakes and some suggested solutions for avoiding them.

Mistake No. 1: Many people mistakenly run a query where only the invoice number is different (vendor number, invoice date, and amount are the same) but end up with a lot of false positives on their reports through which they have to manually comb.

Solution: Try extracting only the numerical digits of an invoice number and matching on only the numbers portion of the invoice. You can do this using a combination of a MID() function in Visual Basic and the ISNUMBER or ISNUMERIC function. This way you'll catch more true duplicates and create a more accurate report.

Mistake No. 2: Another common query pinpoints different invoice dates. Though this is a good query, it often catches legitimate reoccurring rent, lease, or mortgage payments.

Solution: Try identifying dates that are similar such as dates that are less than 14 days apart. They're much more likely to be duplicates than invoices paid one year apart. Using less than 14 days as your date tolerance will prevent legitimate monthly payments (such as rent and credit card) from showing up on the duplicate report.

Mistake No. 3: Credits aren't factored into the duplicate payment search. If you match an exact amount you might find duplicates but won't find the credit that reversed the duplicate.

Solution: Try matching on the absolute value of the amount instead. We actually take out credits and the invoices that they apply to, so that they're eliminated before the duplicate payment logic is run.

The table below lists the basic structure of the algorithms.

Basic structure of the nine algorithms  

Nine algorithms
To maximize the accuracy of your duplicate payment investigations, we've outlined nine core algorithms that we designed and tested that identify all duplicate payments without adding extraneous data to your reports.
You will need four fields at a minimum to identify duplicate invoices:

• vendor/supplier number;
• invoice number;
• invoice date; and
• invoice amount.

Implementing "similar" fuzzy matching instead of exact matching makes this approach more accurate and powerful than many other methodologies. You can consider invoice numbers similar if they're exact after stripping out any zeros and any alphabetic characters as well as punctuation characters. Likewise, you can consider invoice dates similar if the difference between the dates is less than a designated amount such as seven days. For example, if you entered "7" days for the date tolerance, then all invoices with a date different of seven or less would be considered similar. We generally set the date tolerance to 13 days to catch duplicate payments without capturing legitimate monthly payments such as rent. Finally, use fuzzy-matching when comparing amounts by implementing all three of the following principles. The amounts are considered similar if:
1) the amounts are 3 percent +/- the other amount;
2) one amount is exactly twice as much as the other; for example: $220.15 and $440.30; and
3) the amounts start with the same first four digits; for example: $123.45 and $1,234.55.

Try using similar matching when you conduct your next duplicate payment audit; your reports will be shorter and contain much more relevant data.

NO. 2: BENFORD'S LAW
Benford's Law (which was first mentioned in 1881 by the astronomer Simon Newcomb) states that if we randomly select a number from a table of physical constants or statistical data, the probability that the first digit will be a "1" is about 0.301, rather than 0.1 as we might expect if all digits were equally likely. The "law" may be expressed formulaically, where the probability that the first digit "d" is as follows:

This numerical phenomenon was published by Newcomb in a paper entitled "Note on the Frequency of Use of the Different Digits in Natural Numbers," which appeared in The American Journal of Mathematics in 1881. It was re-discovered by Benford in 1938 who published an article called "The Law of Anomalous Numbers" in Proceedings of the American Philosophical Society.⁹

You can actually recreate this function in Excel quite easily. In one column, use the nine rows in cells A1 through A9. In each cell, type "1" in A1, "2" in A2, all the way through to "9" in A9. In the second column, in cell B1, type the function "=ln(1 + 1/A1) / LN(10)" and copy this function for cells B2 through B9 and it will create the probabilities you see in the graph below.

[Graph is no longer available. — Ed.]

We can use Benford's Law to identify fraud if we know the normal frequency of digits because we can then identify digit frequencies that violate that expected behavior. For example, Benford concluded that, out of a group of numbers, the first digit will be "1" about 30 percent of the time. Similarly, using the same function, we can expect the first digit to be "8" about 5 percent of the time. Expected frequencies for each first digit of the invoice amount are shown in the table below.

Expected frequencies for first digit of invoice amount 

If accounts payable invoice amounts are analyzed and it's determined that the first digit of the invoice amount is "8" 50 percent of the time, then we may have either many legitimate payments that start with "8" or possibly fictitious invoice amounts. Fraudsters will often create a fictitious invoice amount that starts with a higher number, like eight or nine, not knowing that auditors are now equipped to identify these transactions.

NO. 3: ROUNDED-AMOUNT INVOICES
People who commit fraud often create invoices in round-dollar amounts. You would think the fraudster would have "cents" enough to do otherwise. An easy way to identify rounded-amount invoices is to use the MOD function in Microsoft Excel. By using this function, you'll be able to identify rounded invoice amounts as those which return a value of zero. For example, suppose your invoice amount is $150.17 then MOD (150.17,10) gives you the remainder of dividing 150.17 by 10, returning a value of 17. So, using the MOD function with a divisor of 10 on a no-pennies amount would leave us a remainder of 0. Then rank your vendors by those with a high percentage of rounded-amount invoices. Just calculate each vendor's number of rounded-amount invoices and divide it by the total number of invoices for that vendor, obtaining the percentage. Then rank by descending percentage to review the most suspicious vendors first.

NO. 4: INVOICES JUST BELOW APPROVAL AMOUNTS
People who commit fraud are often very predictable. Suppose an accounts payable clerk knows the different dollar thresholds for management approval. For example, a supervisor might only be allowed to approve invoices of $3,000 or less but a manager might be allowed to approve invoices of $10,000 or less, and so on. Suppose an accounts payable clerk and her manager decide to skim off some extra dollars. The easiest way to get the most money might be to create a fraudulent invoice just below the approval level of that manager: $9,998 when the approval level is $10,000 or $2,978 when the approval level is $3,000.

To identify these potentially fraudulent invoices, try this: identify invoices that are 3 percent (or less) less than the approval amount. For example, if your approval amount is $3,000, then any invoice that is between $2,910 and $2,999 would be flagged as suspicious.

NO. 5: ABNORMAL INVOICE VOLUME ACTIVITY
Rapid increase
Monitoring vendor invoice volume is another way to alert you to aberrant activity. Rapid increases in invoice volume may indicate a legitimate increase in business but also might indicate a fraudster's behavior. Either way, the increase might warrant an investigation. Suppose a vendor has two invoices one month and 70 the next - you might want to know the reason for this, even if that reason isn't fraudulent.

To calculate the percent increase in invoice volume from one month to the next, find the difference in the number of invoices and then divide by the number of invoices in the first month. In our example, going from two invoices to 70, the difference (68) divided by the number of invoices in the first month (two) represents a 3,400 percent increase. Setting the threshold percentage is the key here; when doing audits, we like to set the threshold percentage at 300 percent or higher. Setting the threshold at 300 percent will catch increases from three to 13, which might not be suspicious so you might also want to set a minimum number of records that you're interested in, such as 50 as your second month's number of invoices. Setting the threshold at 300 percent will also catch more suspicious increases, such as 50 to 220.

High variance
This algorithm can be used to identify potential fraud that follows a "hit and run" tactic. Suppose a fraudster creates a fictitious vendor and submits one test invoice in May. In June, he creates 50 invoices to this fictitious vendor. In July, the fraudster assumes a low profile again and only submits two invoices. Running this algorithm can catch this zig-zag in volume. It's true that the sudden spike in the number of invoices will also be caught on the rapid-invoice volume change alert report. The difference is that vendors on this report will have a return to lower numbers, while in the rapid invoice volume list, the number of invoices might continue to increase with no return to lower numbers.

You can follow the logic below to identify vendors with a high variance in invoice volume:

• calculate the number of invoices per month per vendor;
• calculate the standard deviation and the average number of invoices per vendor;
• calculate a ratio for each vendor: standard deviation divided by the average number of invoices;
• calculate the average ratio for the entire population and the standard deviation of the ratio;
• calculate a z-score for each vendor using this formula:
  z-score = (vendor ratio - population average)/population standard deviation; and
• flag all vendors with a z-score >= 2.5 (2.5 standard deviations above the mean, which translates to "very rare").

NO. 6: VENDORS WITH SEQUENTIAL INVOICE NUMBERS
Sometimes you run across vendors whose invoices are sequentially numbered invoices such as "JK0001," "JK0002," "JK0003." While these might seem legitimate, if this pattern is stretched over time, it might suggest that this vendor only does business with just one company, which is extremely rare in today's business world. A vendor doing business with only one entity might indicate that kickbacks are involved or that the vendor is a fictitious vendor. Although the vendors on this alert list may be legitimate, some may warrant further investigation.

NO. 7: ABOVE-AVERAGE PAYMENTS PER VENDOR
This algorithm identifies invoices that are way above average for a particular vendor. Suppose a vendor normally has invoices ranging from $1,000 to $3,000; suddenly an invoice shows up for $25,000. You might want to investigate this abnormality using this easy alert pattern algorithm.

For each vendor, calculate the average and standard deviation of the invoice amount. Then, calculate a z-score for each invoice amount: z-score = (invoice amount - average amount) / standard deviation.

Then, flag all vendors with a z-score above 2.5, indicating the payment is more than 2.5 standard deviations above the mean. If your report is still too large, try increasing the z-score threshold to 3.0 or higher.

NO. 8: VENDOR WHO MAY BE AN EMPLOYEE
'Trust but verify'
Most employees are generally trustworthy but it doesn't hurt to conduct some data mining to make sure of this. Here's a simple approach to cross-check your vendor and employee files to see if perhaps an employee has set up a fictitious vendor.
Try merging your vendor file and employee file by the following variables:

• address;
• tax ID number;
• phone number; and
• bank routing number.

If you have a good programmer, try doing some fuzzy matching (as described earlier) on these fields as well. For address, try extracting just the numbers in the street plus the ZIP code, and then compare these numbers. This eliminates matching on noise words such as "Drive" and "Suite."

Also, try doing some fuzzy matching on tax ID numbers as well, just in case there was a typo in the data entry. If you specify that the tax IDs are equal if they are even one digit off, you may catch a vendor/employee ring!

This algorithm made it possible to detect a real employee whose Social Security number was the same as a company EIN (tax ID number). The company name happened to be on the same street, city, and state as a person with the same last name as the employee (presumably her spouse). Without finding this pattern through fuzzy matching, the employee fraud may have gone undetected.

SOMETIMES THE ONLY OPTION
Most fraud today is still reported retrospectively by whistle-blowers. While many larger companies are realizing the value of proactive fraud auditing, it's available to companies of all sizes with minimal effort. Applying some fuzzy matching and algorithms might highlight the fraud while it's still being perpetrated. If you're an internal auditor or controller, don't be reluctant to search for the fraud on your watch: that's what you're paid to do. If you have good managers they'll know that you can't prevent all fraud but they'll realize that finding the fraud is still better than not finding the fraud at all.

1. Financial Management: Billions in Improper Payments Continue to Require Attention" (GAO-01-44, Oct. 27, 2000).
2. Van Holsbeck, Mark and Johnson, Jeffrey Z. "Security in an ERP World" (May 2004) www.net-security.com.
3. http://oig.hhs.gov/oei/reports/oei-03-00-00091.pdf (1998).
4. Harris, Gale. "Moving Forward on the Improper Payments Act." March 17, 2005. www.auditforum.org.
5. http://forums.cingular.com/cng/board/message, online message board (March, 2005)
6. http://www.osc.state.ny.us/audits/allaudits/093004/04f2.pdf (June, 2004), Antonia C. Novello
7. Ingham, Cassandra A. "Exploring Check 21, Parts 1 and 2." The Fraud Examiner. Ingham is a graduate candidate in economic crime management at Utica College.
8. Ramsaran, Cynthia "Quality vs. Deception in Managing IRDs" Aug 10, 2004. www.banktech.com 
9. www.mathpages.com/home/kmath302/kmtath302.htm

[Some source links referenced in this article are no longer available. — Ed.]

Christy Warner is the president of Automated Auditors, LLC, located in the Washington, D.C., area, a data-mining corporation that specializes in identifying duplicate payments, duplicate vendors, and financial fraud. Warner is also a member of the Forensic and Dispute Analysis Group at Klausner Dubinsky + Associates, P.C.

Bruce G. Dubinsky, CFE, MST, CPA, CVA, is the director of the Forensic Accounting and Dispute Analysis Group at Klausner Dubinsky + Associates, P.C. located in Bethesda, Md. The Washington Metropolitan Chapter of the ACFE presented Dubinsky the Certified Fraud Examiner of the Year Award in 2001 and 2005. 

FUZZY MATCHING AND ALGORITHM BASICS

The key to an accurate and comprehensive duplicate payment report is "fuzzy-matching." The software programming world uses this term to describe a way to compare terms that are similar but not exactly the same. For example, the names "John" and "Jon" are similar in sound but are spelled differently.

Programmers use many functions such as SPEDIS() and SOUNDEX(). [The SPEDIS() and SOUNDEX() functions are registered trademarks of SAS software (www.sas.com). Similar functions are offered in other programming languages such as C++ and Visual Basic.]

Mathematical algorithms are becoming the tool of choice in the industry for detecting and identifying duplicate payments. In mathematics and computer science an algorithm is defined as a finite set of well-defined instructions for accomplishing a specific task which, given an initial state, will end in a corresponding recognizable "end state" or desired result. Algorithms are typically implemented by computer programs because they're complex and require many iterations (or repetitions). The concept of an algorithm is similar in a sense to a cooking recipe. In a recipe, you have ingredients that you mix together in a certain way to make a delicious (or at least tolerable) meal. In the same way, an algorithm takes certain input factors and combines them together to create a final product: in this case - a report. Algorithms often have steps that iterate (repeat) or require decisions (such as logic or comparison) until the task is completed.