Tommie Singleton, Ph.D., CISA, CGEIT, CITP, CPA
For many years, articles have been published on Benford’s Law, explaining the theory and how to use it in audit procedures. My volume 3 column
attempted to focus on the application while providing an adequate discussion of theory—after all, the application is driven to a large degree by the theory.
The experiences of myself and some of my IT audit friends have me convinced that while Benford’s Law has a limited set of criteria for proper application, there are probably a large number of legitimate application opportunities going unmet.
Fraud auditing and forensic data mining seems to have some fruitful opportunities. For instance, almost all entities have some kind of threshold for certain levels of approval:
- Thresholds for requiring purchase orders for obtaining goods or services
- Thresholds for bank loan officers where the application is sent to a loan committee vs. loan officer approval
- Thresholds for second signature on checks/disbursements
- Thresholds for large single transactions for approval
- Thresholds for credit card charges (e-procurement, travel cards, etc.)
- Thresholds for amounts on Journal Entries
- Thresholds on amounts of refunds
Just about all threshold types have the potential for occupational fraud and abuse. Therefore, it seems prudent in every internal audit, and in most fraud investigations, that looking at transactions just below that threshold could reveal a fraud. In fact, I have seen data from many frauds that could easily have been detected had such a test been performed. As this situation relates to Benford’s Law, the digit or digits just below the threshold will be “frustrated,” become abnormal in distribution and, thus, would likely be anomalies in a Benford’s Law analysis. Therefore, a Benford’s Law test should be a common test when relevant thresholds are employed.
In my recent column
, there is an explanation of using leading digit or digits on thresholds. For example, a threshold of $2,500 would need two leading digits, where one of $5,000 could use either a one-digit or two-digit test. Generally speaking, a two-digit test is more effective.
The reason to mention internal audit testing is for proactive data mining. Absent any suspicion of fraud, it seems likely that employees have the opportunity to either commit occupational fraud and abuse involving that threshold, or have the opportunity to frustrate or circumvent the control objective of the threshold. Such a circumvention of controls would, by default, be a control deficiency. Thus, internal audit should test these thresholds for both fraud and control deficiency.
In addition, there are other opportunities to apply Benford’s Law. In external audits, examining data as a means to assess control effectiveness could also involve thresholds or other similar situations (e.g., customer or vendor refunds, inventory pricing, stock prices). Looking for these opportunities could lead to efficient and effective audit procedures using Benford’s Law.
But, the down side is the misapplication of Benford’s Law. Misuse is generally from a misunderstanding and/or misapplication of the theory aspect of Benford’s Law; such as the fact data must be random, and data sets must be relatively large in volume of transactions or events. Those “gotchas” are explained in the column
, and IT auditors need to be aware of them.
Read Tommie Singleton’s recent Journal column: