Billing and Vendor Fraud Schemes

In a fictitious-vendor scheme the fraudster creates a vendor record in the organisation's accounts-payable system for a company that either does not exist or exists only on paper. They then submit invoices from that vendor for services that were never performed, often describing vague deliverables such as consulting, training, or IT support that leave no physical trace. The invoices are approved, matched to fabricated supporting documents, and paid. The payment goes to a bank account the fraudster controls.

Setting up the shell requires several steps, each of which creates a forensic trail. The fraudster must incorporate a company or register a business name. In many jurisdictions this is straightforward and cheap: in the United States a limited liability company can be registered in Delaware or Wyoming for under USD 100 with minimal ownership disclosure. In the United Kingdom, Companies House registration costs GBP 12 online. In India, incorporation under the Companies Act 2013 requires at least one director with a valid Director Identification Number, creating a link to an identifiable person. Beneficial ownership registries, where they exist, are a key resource for investigators. The Financial Action Task Force (FATF) recommendations require member states to maintain beneficial ownership registers, and the European Union's Anti-Money Laundering Directives require member-state registers to be publicly accessible, though implementation has been uneven.

The fraudster must also add the shell to the vendor master file. This typically requires access to the master file maintenance function, which is why segregation of duties between vendor setup and invoice approval is a fundamental control. Where the same person can both add a vendor and approve invoices from that vendor, the control is broken. Forensic auditors reviewing a suspected fictitious-vendor scheme request the complete vendor master change log for the relevant period and look for vendors added by the same individual who subsequently approved payments to them.

Pass-through schemes involve a genuine supplier relationship, which makes them harder to detect than pure fictitious-vendor fraud. In the simplest variant, an employee with procurement authority directs business to a supplier in exchange for a kickback, a payment that may be cash, a gift, a sub-contract, or a shareholding in the supplier. The supplier charges market rates and the kickback comes from the supplier's margin. This is a corruption scheme rather than a billing scheme in the strict sense, but it frequently co-exists with overbilling.

In a pass-through overbilling arrangement, the employee and supplier agree to inflate invoices above the true cost. The employee approves the inflated invoice, the supplier receives payment, and the fraudster receives a share of the excess. Detection requires obtaining market-rate comparisons for the goods or services involved and identifying invoice prices that systematically exceed them. In construction and infrastructure projects, independent quantity surveying provides the benchmark. In service contracts, rate-card analysis, comparison against similar contracts, and benchmarking against industry surveys serve the same function.

The three-way match is the central procedural control in accounts payable. Before releasing payment, the finance team confirms that a supplier invoice corresponds to an authorised purchase order (confirming the expenditure was approved in advance) and to a goods receipt note or service completion certificate (confirming the goods or services arrived). All three documents must agree on vendor identity, item description, quantity, and price. Where they agree, payment is released. Where they disagree, the invoice is held for resolution.

Fraudsters circumvent the three-way match in four main ways. First, they create false purchase orders by exploiting access to the purchasing module, often during a period when controls are relaxed, such as year-end processing or a system migration. Second, they submit false goods receipt notes, signing off on the receipt of goods that were never delivered. Third, they exploit approval threshold exemptions: most organisations allow small invoices below a set value to be paid without a purchase order, and fraudsters submit invoices calibrated to stay below the threshold. Fourth, they engage in collusion with the person responsible for goods receipt, who signs the note in exchange for a share of the proceeds.

The internal audit literature, including guidance from the Institute of Internal Auditors and the standards of the Chartered Institute of Internal Auditors in the United Kingdom, treats the three-way match as a minimum control, not a sufficient one. A sound procurement control framework also requires that the person who creates the purchase order, the person who approves it, and the person who receives and signs for goods or services are three different individuals with no reporting relationship that would create pressure to collude.

The vendor master file determines where payment goes. An employee who can alter that file without independent review can redirect legitimate payments to an account they control without ever submitting a fraudulent invoice. The technique is to change the bank account number on file for a real, active supplier to a bank account owned by the fraudster. The next payment to that supplier goes to the wrong account. The legitimate supplier then queries the non-payment, the fraud is discovered, and the loss is the amount of the intercepted payment. This variant is sometimes called a business email compromise by analogy with the external fraud method, though here the attacker is internal.

Forensic auditors approach vendor master fraud by obtaining a complete change log from the ERP system covering the investigation period. They filter for changes to bank account fields, payment routing information, and address fields, then review each change against the authorising documentation. Any change that cannot be traced to a written authorisation from an appropriate manager is a finding. Changes made outside business hours, immediately before a large payment run, or by a user account that should not have write access to the master file are high-priority items.

A related technique is the duplicate vendor: creating a second vendor entry for a real supplier with a slight variation in name or tax identification number but a different bank account. Payments intended for the legitimate vendor are diverted if accounts-payable staff select the wrong entry. ERP systems with weak duplicate-detection logic are particularly vulnerable. The audit test is to run a fuzzy-match or string-similarity comparison across all vendor names in the master file, flagging entries with high name similarity but different payment details.

Benford's Law, first described by physicist Frank Benford in 1938 based on earlier observations by Simon Newcomb, predicts that in datasets generated by natural processes the leading digit follows the distribution: 1 appears in about 30.1% of values, 2 in 17.6%, 3 in 12.5%, declining to 9 in 4.6%. The logarithmic basis of this distribution means it applies to datasets spanning multiple orders of magnitude, which describes most accounts-payable datasets well. Invoice amounts from USD 10 to USD 1,000,000 satisfy the spanning criterion.

Fraudsters who invent invoice amounts tend not to follow this distribution. They avoid amounts that feel implausibly small (so they avoid leading digit 1) and they cluster around values they regard as inconspicuous, often in the 5 to 9 range. They also cluster just below approval thresholds, which causes anomalous spikes at specific values. A forensic auditor applies a chi-square goodness-of-fit test to the first-digit distribution of the payment population. A statistically significant deviation does not prove fraud; it identifies a subpopulation of transactions for further scrutiny. The auditor then applies second-digit and two-digit analyses to narrow the sample. Transactions in the flagged cells are pulled for document-level review.

Duplicate-payment analysis searches for invoices paid more than once. The analysis runs matching queries across vendor identifier, invoice number, invoice amount, and invoice date in multiple combinations, because duplicates are not always identical records. A common pattern is same vendor, same amount, slightly different invoice number, submitted weeks apart in the expectation that the first payment will have cleared from short-term memory. More sophisticated schemes submit invoices to two different divisions of the same organisation, exploiting the absence of a consolidated payment view. The test should cover a minimum of two years of payment history, because some schemes operate infrequently to reduce detection risk.

When analytics tests identify high-priority transactions, the forensic auditor moves from data analysis to evidence gathering. The investigation follows the principles of predication and engagement planning: the auditor documents the basis for suspicion, scopes the investigation to the identified scheme type, and assembles the evidence needed to answer the key questions of whether fraud occurred, who committed it, how much was taken, and over what period.

Document evidence in a billing fraud investigation typically includes: the fraudulent invoices and any supporting documents submitted with them; the purchase orders and goods receipt notes used to clear the three-way match; the vendor master file change log; bank statements for the vendor accounts receiving payment; corporate registration documents for the shell company; and, where asset tracing is possible, records showing how funds were used after receipt. In many jurisdictions, including the United States under the Bank Secrecy Act, the United Kingdom under the Proceeds of Crime Act 2002, and India under the Prevention of Money Laundering Act 2002, financial institutions are required to retain transaction records for set periods, providing an avenue for obtaining bank evidence with appropriate legal process.

Witness interviews follow the document review. The suspected fraudster is typically interviewed last, after the investigator has secured documentary evidence and completed interviews with other witnesses, including accounts-payable staff, the vendor's contacts (if the vendor exists), and any other individuals with knowledge of the transactions. Guidance on interviewing suspects and witnesses covers the sequencing and technique for this phase.

The investigation report quantifies the loss, identifies the control failures that enabled the scheme, attributes the conduct to specific individuals where the evidence supports it, and recommends remedial controls. The evidentiary standard depends on the intended use: civil proceedings require proof on the balance of probabilities; criminal proceedings require proof beyond reasonable doubt. In corporate investigations that may lead to either outcome, the report is drafted to meet the higher standard while clearly distinguishing findings from inferences. Admissibility of digital and documentary evidence is governed by jurisdiction-specific rules: in India by the Bharatiya Sakshya Adhiniyam 2023, in England and Wales by the Civil Evidence Act 1995 and the Criminal Justice Act 2003, and in the United States by the Federal Rules of Evidence.