Fraud detection laws & theories — complete guide
A structured theory reference covering Benford’s Law, Beneish M-Score, Zipf’s Law, the Fraud Triangle & Diamond, Digital Forensics, and more. Designed for forensic accounting and fraud examination study.
Proposed by physicist Frank Benford in 1938, this law states that in large collections of naturally occurring numbers, the leading digit is more likely to be small. The digit 1 appears as the first digit about 30% of the time, while 9 appears less than 5% of the time. This counterintuitive distribution holds across invoices, population data, stock prices, and financial statements — making it a powerful tool to detect fabricated numbers.
P(d) = log₁₀(1 + 1/d)
where d = first digit (1 through 9)
| First digit | Expected % | Visual bar | Z-stat threshold | Fraud signal when… |
|---|---|---|---|---|
| 1 | 30.1% | Z > 1.96 | Under-represented | |
| 2 | 17.6% | Z > 1.96 | Any significant deviation | |
| 3 | 12.5% | Z > 1.96 | Any significant deviation | |
| 4 | 9.7% | Z > 1.96 | Over-represented → structuring signal | |
| 5 | 7.9% | Z > 1.96 | Over-represented | |
| 6 | 6.7% | Z > 1.96 | Any significant deviation | |
| 7 | 5.8% | Z > 1.96 | Any significant deviation | |
| 8 | 5.1% | Z > 1.96 | Any significant deviation | |
| 9 | 4.6% | Z > 1.96 | Over-represented → round-9 fraud |
Z-test formula
Z = |obs% − exp%| ÷ √(exp%×(1−exp%)÷n)
Z > 1.645 → 90% confidence
Z > 1.960 → 95% confidence
Z > 2.576 → 99% confidence
Chi-square test
χ² = Σ (Observed − Expected)² / Expected
Degrees of freedom = 8
Critical value at 95% = 15.507
χ² > 15.507 → Non-conforming data
Where Benford’s Law applies
Where it does NOT apply
- Assigned numbers with constrained ranges — phone numbers, PIN codes, invoice sequences
- Narrow value ranges — hotel room rates ₹1,000–₹5,000 will only start with digits 1–5
- Small datasets — requires n > 300 records for statistically reliable results
- Prices set by human convention — fixed-price items like ₹99, ₹499, ₹999
Formulated by linguist George Kingsley Zipf, this law states that in ranked datasets, the frequency of an item is inversely proportional to its rank. In fraud analysis: if vendor #1 receives 40% of payments, vendor #2 should receive ~20%, #3 ~13%, and so on. Disproportionate concentration signals conflict of interest, kickbacks, or phantom vendor schemes.
Zipf’s Law formula
f(r) = C / r^α
f = frequency at rank r
C = frequency of the #1 item
α ≈ 1.0 in natural data
Zipf ratio (rank 1 ÷ rank 2) ≈ 2.0
Key concentration metrics
CR3 = Top 3 spend ÷ Total spend
CR3 > 60% = High concentration risk
HHI = Σ (market share_i)²
HHI > 0.25 = Monopolistic
HHI > 0.15 = Moderate concern
Fraud signals from concentration analysis
- Single vendor > 50% of department spend — conflict of interest, kickbacks, phantom vendor
- HHI > 0.25 — monopoly-like concentration inconsistent with competitive procurement policy
- Vendor rank changes suddenly — previously minor vendor jumps to #1 without explanation
- Zipf ratio deviates sharply from 2.0 — too flat (collusion ring sharing payments) or too steep
- High invoice frequency + low average amount — possible invoice splitting to stay below approval limits
Developed by Professor Messod Daniel Beneish in 1999, the M-Score model uses eight financial ratios derived from public financial statements to produce a single score predicting the likelihood of earnings manipulation. It was used retrospectively to identify Enron, WorldCom, and Satyam as manipulation candidates before their frauds were officially uncovered.
M = −4.84 + 0.920×DSRI + 0.528×GMI + 0.404×AQI + 0.892×SGI
− 0.115×DEPI − 0.172×SGAI + 4.679×TATA − 0.327×LVGI
M < −2.22 → LOW RISK (not likely a manipulator)
M from −2.22 to −1.78 → GREY ZONE (possible manipulation)
M > −1.78 → HIGH RISK (likely financial statement manipulator)
Criminologist Donald Cressey interviewed 250 convicted embezzlers and found a consistent pattern: all three elements were always present. Fraud occurs at the intersection of motivation, means, and mindset. Remove any one element and the fraud does not occur — this insight drives the entire framework of internal controls.
Pressure — the motivation
The non-shareable financial problem
- Personal financial debt or crisis
- Aggressive sales targets tied to bonuses
- Fear of job loss or demotion
- Addiction, gambling, lifestyle inflation
- Medical bills, family financial obligation
Opportunity — the means
Weak controls create the opening
- No segregation of duties (single approver)
- Unrestricted system access without audit
- No surprise audits or reconciliations
- Management override accepted without review
- No mandatory vacation policy
Rationalisation — the justification
Internal cognitive justification
- “I’ll pay it back — it’s just a temporary loan”
- “The company underpays me, I deserve this”
- “Everyone does it in this industry”
- “I’m only borrowing during a tough time”
- “They won’t even notice this small amount”
David Wolfe and Dana Hermanson argued in 2004 that the Fraud Triangle was incomplete. Many large frauds require a perpetrator with specific skills, seniority, and intelligence to execute and sustain the scheme. The person must also have the emotional capability to rationalise and conceal the fraud over long periods without detection.
Capability — the 4th element
The fraudster must possess: position (authority over assets or records), intelligence (ability to identify and exploit control gaps), ego (confidence they will not be caught), coercive ability (to bring others into the scheme if needed), and stress tolerance (to manage the anxiety of concealment over months or years).
High capability indicators
- Deep system knowledge + admin privileges
- Long tenure in same role (>5 years)
- History of bypassing policy “for efficiency”
- Dominant personality, rarely questioned
- Trusted employee with minimal oversight
Triangle vs Diamond comparison
| Elements in Triangle | 3 |
| Elements in Diamond | 4 (adds Capability) |
| Best for | General fraud risk |
| Diamond best for | Senior-level / complex fraud |
Every digital document carries hidden metadata that records its true history — when it was created, who created it, how many times it was edited, and using which software. This data is embedded in MS Word, Excel, PDF, and email files. Forensic investigators extract this metadata to disprove fraudulent claims about document authenticity and timing.
MAC time — the cornerstone of file forensics
M = Modified (last time content changed) | A = Accessed (last opened) | C = Created (first saved to disk)
A Modified timestamp earlier than the Created timestamp is a logical impossibility — it proves the file system metadata was deliberately altered. A “2020 contract” showing a 2023 metadata creation date exposes backdating fraud.
10 metadata fraud signals
- Creation time 10pm–5am — outside business hours = possible document fabrication
- Total editing time = 0 minutes — copy-pasted template, not genuinely authored
- Author ≠ Signatory — someone else created a document attributed to a different person
- Revision count = 1 on complex document — no editing history = fabricated from template
- Created date after the document’s stated date — proves backdating definitively
- Application = personal app — invoice from personal Google Docs, not company ERP or Tally
- Metadata stripped / properties blank — deliberate concealment is itself evidence of tampering
- Old software version on recent document — MS Word 2003 on a “2024 contract” = copied old template
- Modified date precedes Created date — logically impossible = file system manipulation proven
- Email IP geolocation mismatch — email headers show sender IP in a different city than claimed
Financial ratios when tracked over multiple periods (trend analysis) or compared against industry peers (benchmarking) reveal anomalies that signal manipulation. The key technique is to look for ratios that move in opposite directions to what the company’s stated performance would predict — especially when profitability rises but cash flows fall.
| Ratio | Formula | Normal trend | Fraud signal | Likely scheme |
|---|---|---|---|---|
| Days Sales Outstanding (DSO) | Debtors ÷ (Sales÷365) | Stable or falling | Rising sharply | Fictitious sales, channel stuffing |
| Gross Margin % | (Sales − COGS) ÷ Sales | Industry-consistent | Rising unexpectedly | COGS understatement, revenue inflation |
| Accruals Ratio | (NI − CFO) ÷ Total Assets | Near zero | Large positive value | Income smoothing, cookie-jar reserves |
| Receivables Turnover | Sales ÷ Avg Receivables | Stable or rising | Falling 30%+ | Fictitious credit sales |
| Cash Conversion Cycle | DSO + DIO − DPO | Consistent or improving | Lengthening dramatically | Inventory hoarding, AR manipulation |
| Debt-to-Equity | Total Debt ÷ Equity | Within covenant limits | Approaching covenant limit | Off-balance-sheet debt, SPV abuse |
Channel stuffing — the classic ratio fraud explained
Channel stuffing occurs when a company ships excess product to distributors to record revenue, knowing returns will come later. The first affected ratio is DSO — it rises because distributors delay payment. Gross margin eventually falls when product is returned or discounted. Inventory at the distributor level rises (invisible from the financial statements alone — requires channel checks and industry comparison).
Bid rigging is a form of price fixing where competing bidders coordinate their submissions to ensure a predetermined outcome. It is a criminal offence under the Competition Act 2002 in India and similar legislation worldwide. Detection relies on statistical analysis of bid patterns across multiple tenders rather than any single document.
Cover bidding
Losing bidders submit intentionally inflated bids to give the appearance of competition. Detection: losing bids cluster at suspiciously round numbers or identical margins above the winner.
Bid rotation
A cartel takes turns winning tenders so each member gets an equal share over time. Detection: same set of bidders appear across all tenders; wins rotate in an obvious pattern.
Bid suppression
Potential competitors agree not to submit bids, leaving only one active bidder. Detection: single-bidder tenders on large contracts; same firms consistently absent from similar tenders.
Estimate leakage
Winning bid is suspiciously close to internal cost estimate — within 0.5% — suggesting an insider disclosed the estimate. Detection: (Win Bid − Estimate) / Estimate < 0.5%.
Bid spread = (Max bid − Min bid) / Max bid
Narrow spread (<5%) on competitive tender = cover bidding signal
Vendor win rate = Wins / Total tenders in period
Win rate > 50% = dominant vendor = investigation warranted
Estimate proximity = |Winning bid − Internal estimate| / Estimate
Proximity < 0.5% = estimate leakage highly probable
- Same bidders consistently appear together across unrelated tenders in different departments
- Winning bids are consistently just below the tender estimate — never above it
- Tender evaluation committee member has a personal relationship with the winning vendor
- Post-award contract modifications significantly inflate scope (bid low, inflate later scheme)
- Urgency-based single-source procurement used repeatedly for the same category of goods