Forensic accounting basics for in-house finance teams

The pattern we have seen repeatedly is the same. A finance team discovers, often by accident, that a series of transactions over the past 18 months does not look right. Round-amount journal entries posted to revenue at quarter-end. Invoices from a vendor whose phone number matches an employee's. Cash deposits that do not reconcile to documented receipts. By the time the finance team flags the pattern, the loss has accumulated, the evidence trail is partially cold, and the conversation with management has to escalate quickly.

Forensic accounting is the toolkit that catches these patterns earlier. It is not a separate function performed by external specialists called in after a problem. It is a set of analytical techniques that an in-house finance team can run as part of its normal monthly close. The techniques are not difficult. They are not widely used.

What forensic accounting actually is

Forensic accounting combines accounting analysis with techniques borrowed from criminology, statistics, and audit. The objective is to find anomalies — transactions or patterns that are inconsistent with what would be expected if the underlying business were operating normally.

The starting premise is that fraud and error leave statistical traces. A person manipulating numbers is making choices about which numbers to manipulate. Those choices, in aggregate, deviate from the distributions that natural data would produce. The deviations are detectable.

Benford's law

The most accessible forensic technique. Benford's law states that in many naturally occurring datasets, the leading digit of values is not uniformly distributed. The digit 1 appears as the leading digit about 30% of the time, 2 about 17.6%, 3 about 12.5%, down to 9 at about 4.6%.

This distribution holds for financial data — invoice amounts, expense claims, payment records — when the data is generated by normal business activity. When numbers are fabricated by a person, the distribution tends to be more uniform. People making up numbers often prefer digits in the middle of the range — 4s, 5s, 6s — over 1s and 2s.

The audit test: pull the leading digits of a large dataset (3,000+ values for statistical reliability) and chart the frequency. Compare against Benford. Significant deviation triggers investigation.

Common applications: expense reimbursements (look for inflated claims), vendor payments (look for fabricated invoices), employee reimbursement claims, sales invoices in cash-heavy businesses.

Benford is not proof of fraud. A deviation can have legitimate explanations — pricing structures that systematically produce certain digits, regulatory thresholds that cluster amounts, etc. It is a flag, not a finding. The flag triggers focused review of the specific transactions in the deviating bucket.

Round-number bias

A second statistical signal. Genuine business transactions rarely produce round numbers. A payment of ₹10,00,000 exactly, an expense claim of ₹5,000 exactly, a sale of ₹2,00,000 exactly — these occur, but at a rate well below their proportion of fabricated entries.

The audit test: pull all transactions where the amount is a round number — ending in five or more zeroes, or being a 'clean' figure like ₹50,000 or ₹1,00,000. Compare the share of round-number entries in the population against the share you would expect from normal business activity.

If the round-number share is materially higher in a specific category — manual journal entries, expense reimbursements, cash receipts — the category warrants investigation.

Journal entry analysis

Manual journal entries are the highest-risk transaction type in any accounting system. They are created by a human, often without the system controls that apply to operational transactions (no three-way match, no PO requirement, no automated approval matrix in many ERPs).

Specific patterns to flag:

Late-night entries. Journal entries posted between 8pm and 6am. These are statistically unusual; staff working late are usually responding to a close deadline. The pattern of a single person posting consistently in the late-night window deserves attention.

Weekend entries. Similar logic. Saturday and Sunday entries should be rare. A weekend entry to revenue or cost of goods sold is a high-priority flag.

Manual entries to high-risk accounts. Revenue, cost of goods sold, and reserves are the accounts most often manipulated in financial reporting fraud. Manual entries to these accounts, particularly at quarter-end, should be reviewed transaction by transaction.

Recurring round-amount entries. A monthly entry of exactly ₹5,00,000 against a specific account, with no underlying documentation, is anomalous. The recurrence and the round amount together amplify the signal.

Unusual approvers. Entries approved by a person who normally does not approve that category. The CEO approving a routine accruals journal, or a regional CFO approving an entry to a head-office account.

Reversing entries. Entries that are posted and then reversed, particularly close to period end. Some reversals are legitimate (correcting an error). Repeated reversal patterns in specific accounts can mask manipulation.

Three-way match audit

The three-way match — purchase order, goods receipt note, invoice — is the standard procurement control. The match should occur for every supplier invoice before payment is released.

Forensic testing of the three-way match: pull a sample of paid invoices. For each, verify the existence and consistency of the PO and the GRN. The errors:

Invoices paid without a corresponding PO (purchases authorised after the fact).

GRNs that were marked as received but where no physical goods receipt exists, or where the receipt was for a different quantity or specification.

POs created after the invoice date (back-dated PO to match an invoice the buyer already received).

Invoices where the PO, GRN, and invoice amounts have small mismatches that were resolved through a manual override.

Bank reconciliation deep-dive

Bank reconciliations are usually summarised at month-end as 'reconciled with N outstanding items'. The forensic question is what the outstanding items are.

Specific patterns:

Stale outstanding cheques — cheques issued more than 6 months ago that have not cleared. These may have been issued but never delivered to the payee, with the funds parked in the company's account waiting for an unrelated outflow.

Unexplained credit entries — deposits in the company account with no corresponding GL entry. These may be misposted customer payments. They may also be deliberately unrecorded receipts being held for off-book use.

Recurring reconciling items — items that appear in the reconciliation every month, never clearing. Either the reconciliation process is poorly executed, or the items reflect transactions that should not be there.

Vendor master analytics

The vendor master file is a fraud-relevant dataset because phantom vendors are a common asset misappropriation scheme.

Tests on the vendor master:

Vendors with no GST registration (or with cancelled GSTINs).

Vendors whose bank account number matches another vendor's, or matches an employee's.

Vendors whose phone number or address matches an employee's.

Vendors created in the last 12 months who have no audit history.

Vendors whose payment records show high-velocity activity disproportionate to their tenure.

Cash receipts to deposits reconciliation

In cash-heavy businesses — retail, gold loans, microfinance, certain service businesses — cash receipts at the customer-facing point of contact have to reconcile to bank deposits.

The forensic test: for a sample of days, reconcile the cash receipt log at the branch against the bank deposit slip. The gap is the question.

Cash receipts that did not deposit. Deposits that did not match a receipt log. Receipts for amounts different from what was deposited. Each is a flag.

When internal is enough, when external is needed

An in-house finance team can run all of the techniques above. They are accessible, the tools are inexpensive (Excel, Power BI, basic SQL), and the methodology is well-documented.

External forensic accountants are needed when:

The pattern detected involves senior management. Internal independence is not adequate.

The matter has legal exposure — civil action, criminal referral, regulatory disclosure — and the forensic work needs to be performed by professionals whose findings will be admissible.

The forensic scope extends to electronic evidence — emails, chat logs, document metadata — which requires specialised tools and legal-process discipline.

The audit committee has explicitly decided that independence requires external execution.

External forensic firms are not needed when:

The objective is detection rather than investigation. Detection is an internal function; investigation may not be.

The pattern is detected at junior levels and the in-house function has the independence to investigate it.

The matter does not have legal exposure that requires external testimony.

The trigger that almost always shifts the work to external: the finance team detects a pattern that implicates a senior leader, and the senior leader is in the in-house team's reporting chain.

How to embed forensic into the monthly close

Five techniques, run monthly, by the in-house finance team:

One. Benford's law on the prior month's expense reimbursements and vendor payments.

Two. Round-number share on manual journal entries.

Three. Late-night and weekend journal entry log review.

Four. Three-way match exception report for the month.

Five. Vendor master changes review (new vendors, modified bank details).

Each of these is a 30-minute exercise once the templates are built. The first run takes longer; the steady-state effort is modest. The output is a one-page anomaly summary for the CFO and the head of internal audit.

What forensic accounting does not do

It does not prove fraud. It produces flags. The flags require follow-up investigation. The investigation either substantiates the concern or rules it out.

It does not replace internal control. Forensic accounting works alongside controls. Controls prevent. Forensic detection catches what slipped through.

It does not work on small datasets. Most of the techniques require population sizes large enough for statistical signals to emerge. For a small business with low transaction volume, the techniques are still useful but the statistical confidence is lower.

Forensic accounting is best understood as a continuous diagnostic, not as an investigation triggered by suspicion. The finance teams that run forensic techniques monthly are the ones that catch issues at week three or week six, not at month eighteen. The cost of the monthly run is small. The cost of not running it is what shows up later, sometimes much later, in the audit committee meeting nobody wanted to call.